From b38371173bbb2c3d2e30bc2285e6f1df9c96c0ad Mon Sep 17 00:00:00 2001 From: ablakley-r7 <96182471+ablakley-r7@users.noreply.github.com> Date: Mon, 13 Jan 2025 08:37:29 +0000 Subject: [PATCH] Pretty print --- ...nitor_alerts_full_next_page_state.json.exp | 214 +- .../monitor_alerts_full_page.json.exp | 403 +- .../monitor_alerts_full_page_state.json.exp | 214 +- .../responses/monitor_alerts.json.resp | 340 +- .../monitor_alerts_full_page.json.resp | 32614 ++++++++-------- .../responses/monitor_alerts_two.json.resp | 16477 +++++++- 6 files changed, 33203 insertions(+), 17059 deletions(-) diff --git a/plugins/palo_alto_cortex_xdr/unit_test/expected/monitor_alerts_full_next_page_state.json.exp b/plugins/palo_alto_cortex_xdr/unit_test/expected/monitor_alerts_full_next_page_state.json.exp index 795bb854cf..1b8a0250ad 100644 --- a/plugins/palo_alto_cortex_xdr/unit_test/expected/monitor_alerts_full_next_page_state.json.exp +++ b/plugins/palo_alto_cortex_xdr/unit_test/expected/monitor_alerts_full_next_page_state.json.exp @@ -1,105 +1,109 @@ -{"current_count": 200, - "last_alert_hash": ["a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404"], - "last_search_from": 100, - "last_search_to": 200, - "query_end_time": 1706539560000, - "query_start_time": 1706453160000} \ No newline at end of file +{ + "current_count": 200, + "last_alert_hash": [ + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404" + ], + "last_search_from": 100, + "last_search_to": 200, + "query_end_time": 1706539560000, + "query_start_time": 1706453160000 +} \ No newline at end of file diff --git a/plugins/palo_alto_cortex_xdr/unit_test/expected/monitor_alerts_full_page.json.exp b/plugins/palo_alto_cortex_xdr/unit_test/expected/monitor_alerts_full_page.json.exp index fdee85be47..a5b9bd74c9 100644 --- a/plugins/palo_alto_cortex_xdr/unit_test/expected/monitor_alerts_full_page.json.exp +++ b/plugins/palo_alto_cortex_xdr/unit_test/expected/monitor_alerts_full_page.json.exp @@ -1,5 +1,5 @@ [ - { + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -161,8 +161,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -324,8 +324,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -487,8 +487,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -650,8 +650,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -813,8 +813,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -976,8 +976,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -1139,8 +1139,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -1302,8 +1302,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -1465,8 +1465,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -1628,8 +1628,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -1791,8 +1791,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -1954,8 +1954,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -2117,8 +2117,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -2280,8 +2280,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -2443,8 +2443,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -2606,8 +2606,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -2769,8 +2769,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -2932,8 +2932,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -3095,8 +3095,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -3258,8 +3258,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -3421,8 +3421,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -3584,8 +3584,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -3747,8 +3747,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -3910,8 +3910,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -4073,8 +4073,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -4236,8 +4236,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -4399,8 +4399,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -4562,8 +4562,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -4725,8 +4725,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -4888,8 +4888,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -5051,8 +5051,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -5214,8 +5214,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -5377,8 +5377,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -5540,8 +5540,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -5703,8 +5703,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -5866,8 +5866,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -6029,8 +6029,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -6192,8 +6192,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -6355,8 +6355,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -6518,8 +6518,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -6681,8 +6681,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -6844,8 +6844,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -7007,8 +7007,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -7170,8 +7170,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -7333,8 +7333,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -7496,8 +7496,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -7659,8 +7659,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -7822,8 +7822,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -7985,8 +7985,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -8148,8 +8148,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -8311,8 +8311,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -8474,8 +8474,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -8637,8 +8637,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -8800,8 +8800,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -8963,8 +8963,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -9126,8 +9126,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -9289,8 +9289,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -9452,8 +9452,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -9615,8 +9615,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -9778,8 +9778,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -9941,8 +9941,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -10104,8 +10104,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -10267,8 +10267,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -10430,8 +10430,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -10593,8 +10593,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -10756,8 +10756,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -10919,8 +10919,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -11082,8 +11082,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -11245,8 +11245,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -11408,8 +11408,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -11571,8 +11571,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -11734,8 +11734,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -11897,8 +11897,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -12060,8 +12060,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -12223,8 +12223,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -12386,8 +12386,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -12549,8 +12549,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -12712,8 +12712,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -12875,8 +12875,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -13038,8 +13038,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -13201,8 +13201,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -13364,8 +13364,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -13527,8 +13527,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -13690,8 +13690,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -13853,8 +13853,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -14016,8 +14016,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -14179,8 +14179,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -14342,8 +14342,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -14505,8 +14505,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -14668,8 +14668,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -14831,8 +14831,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -14994,8 +14994,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -15157,8 +15157,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -15320,8 +15320,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -15483,8 +15483,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -15646,8 +15646,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -15809,8 +15809,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -15972,8 +15972,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -16135,8 +16135,8 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - }, - { + }, + { "agent_os_sub_type": "6.3.420", "fw_app_category": null, "fw_app_id": null, @@ -16298,6 +16298,5 @@ "user_name": null, "events_length": 1, "original_tags": "AS:PANE/XDR Agent" - } - ] - + } +] \ No newline at end of file diff --git a/plugins/palo_alto_cortex_xdr/unit_test/expected/monitor_alerts_full_page_state.json.exp b/plugins/palo_alto_cortex_xdr/unit_test/expected/monitor_alerts_full_page_state.json.exp index fa2b0e7560..0a95d1ae26 100644 --- a/plugins/palo_alto_cortex_xdr/unit_test/expected/monitor_alerts_full_page_state.json.exp +++ b/plugins/palo_alto_cortex_xdr/unit_test/expected/monitor_alerts_full_page_state.json.exp @@ -1,105 +1,109 @@ -{"current_count": 100, - "last_alert_hash": ["a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404", - "a502a9c50798186882ad8dc91ac2b38eb185c404"], - "last_search_from": 0, - "last_search_to": 100, - "query_end_time": 1706539560000, - "query_start_time": 1706453160000} \ No newline at end of file +{ + "current_count": 100, + "last_alert_hash": [ + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404", + "a502a9c50798186882ad8dc91ac2b38eb185c404" + ], + "last_search_from": 0, + "last_search_to": 100, + "query_end_time": 1706539560000, + "query_start_time": 1706453160000 +} \ No newline at end of file diff --git a/plugins/palo_alto_cortex_xdr/unit_test/responses/monitor_alerts.json.resp b/plugins/palo_alto_cortex_xdr/unit_test/responses/monitor_alerts.json.resp index cf99daf965..e9a28606ad 100644 --- a/plugins/palo_alto_cortex_xdr/unit_test/responses/monitor_alerts.json.resp +++ b/plugins/palo_alto_cortex_xdr/unit_test/responses/monitor_alerts.json.resp @@ -1,171 +1,171 @@ { - "reply": { - "total_count": 1000, - "result_count": 1, - "alerts": [ - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - } - ] - } -} + "reply": { + "total_count": 1000, + "result_count": 1, + "alerts": [ + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + } + ] + } +} \ No newline at end of file diff --git a/plugins/palo_alto_cortex_xdr/unit_test/responses/monitor_alerts_full_page.json.resp b/plugins/palo_alto_cortex_xdr/unit_test/responses/monitor_alerts_full_page.json.resp index d90f8c1b28..8e96f36572 100644 --- a/plugins/palo_alto_cortex_xdr/unit_test/responses/monitor_alerts_full_page.json.resp +++ b/plugins/palo_alto_cortex_xdr/unit_test/responses/monitor_alerts_full_page.json.resp @@ -1,16308 +1,16308 @@ { - "reply": { - "total_count": 1000, - "result_count": 100, - "alerts": [ - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - }, - { - "agent_os_sub_type": "6.3.420", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - } - ] - } -} + "reply": { + "total_count": 1000, + "result_count": 100, + "alerts": [ + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + } + ] + } +} \ No newline at end of file diff --git a/plugins/palo_alto_cortex_xdr/unit_test/responses/monitor_alerts_two.json.resp b/plugins/palo_alto_cortex_xdr/unit_test/responses/monitor_alerts_two.json.resp index 2626c20174..8e96f36572 100644 --- a/plugins/palo_alto_cortex_xdr/unit_test/responses/monitor_alerts_two.json.resp +++ b/plugins/palo_alto_cortex_xdr/unit_test/responses/monitor_alerts_two.json.resp @@ -1,171 +1,16308 @@ { - "reply": { - "total_count": 1000, - "result_count": 1, - "alerts": [ - { - "agent_os_sub_type": "6.3.4201", - "fw_app_category": null, - "fw_app_id": null, - "fw_app_subcategory": null, - "fw_app_technology": null, - "causality_actor_process_command_line": null, - "causality_actor_process_image_md5": null, - "causality_actor_process_image_name": null, - "causality_actor_process_image_path": null, - "causality_actor_process_image_sha256": null, - "causality_actor_process_signature_status": "N/A", - "causality_actor_process_signature_vendor": null, - "causality_actor_causality_id": null, - "identity_sub_type": null, - "identity_type": null, - "operation_name": null, - "project": null, - "cloud_provider": null, - "referenced_resource": null, - "resource_sub_type": null, - "resource_type": null, - "cluster_name": null, - "container_id": null, - "contains_featured_host": "NO", - "contains_featured_ip": "NO", - "contains_featured_user": "NO", - "action_country": "UNKNOWN", - "fw_interface_to": null, - "dns_query_name": null, - "agent_device_domain": "attractions.conor.com", - "fw_email_recipient": null, - "fw_email_sender": null, - "fw_email_subject": null, - "event_type": null, - "is_whitelisted": false, - "action_file_macro_sha256": null, - "action_file_md5": null, - "action_file_name": null, - "action_file_path": null, - "action_file_sha256": null, - "fw_device_name": null, - "fw_rule_id": null, - "fw_rule": null, - "fw_serial_number": null, - "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", - "mac": "2001:db8:1:1:1:1:1:1", - "agent_os_type": "Windows", - "image_name": null, - "actor_process_image_name": "8.8.8.8", - "actor_process_command_line": null, - "actor_process_image_md5": null, - "actor_process_image_path": null, - "actor_process_os_pid": null, - "actor_process_image_sha256": null, - "actor_process_signature_status": "N/A", - "actor_process_signature_vendor": null, - "actor_thread_thread_id": null, - "fw_is_phishing": "N/A", - "action_local_ip": null, - "action_local_port": null, - "fw_misc": null, - "mitre_tactic_id_and_name": "TA0007 - Discovery", - "mitre_technique_id_and_name": "T1012 - Query Registry", - "module_id": "Behavioral Threat Protection", - "fw_vsys": null, - "os_actor_process_command_line": null, - "os_actor_thread_thread_id": null, - "os_actor_process_image_name": null, - "os_actor_process_os_pid": null, - "os_actor_process_image_sha256": null, - "os_actor_process_signature_status": "N/A", - "os_actor_process_signature_vendor": null, - "os_actor_effective_username": null, - "action_process_signature_status": "N/A", - "action_process_signature_vendor": null, - "action_registry_data": null, - "action_registry_full_key": null, - "action_external_hostname": null, - "action_remote_ip": "8.8.8.8", - "action_remote_port": null, - "matching_service_rule_id": null, - "fw_interface_from": null, - "starred": false, - "action_process_image_command_line": null, - "action_process_image_name": null, - "action_process_image_sha256": null, - "fw_url_domain": null, - "user_agent": null, - "fw_xff": null, - "alert_domain": "DOMAIN_SECURITY", - "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "severity": "high", - "matching_status": "MATCHED", - "end_match_attempt_ts": null, - "local_insert_ts": 1706539597503, - "last_modified_ts": 1706539706370, - "bioc_indicator": null, - "attempt_counter": 0, - "bioc_category_enum_key": null, - "case_id": 391722, - "deduplicate_tokens": null, - "filter_rule_id": null, - "agent_version": "8.8.8.8", - "agent_ip_addresses_v6": null, - "agent_data_collection_status": false, - "agent_is_vdi": false, - "agent_install_type": "STANDARD", - "agent_host_boot_time": null, - "event_sub_type": null, - "association_strength": 50, - "dst_association_strength": null, - "story_id": null, - "event_id": null, - "event_timestamp": 1706540499609, - "actor_process_instance_id": null, - "actor_process_causality_id": null, - "actor_causality_id": null, - "causality_actor_process_execution_time": null, - "action_registry_key_name": null, - "action_registry_value_name": null, - "action_local_ip_v6": null, - "action_remote_ip_v6": null, - "action_process_instance_id": null, - "action_process_causality_id": null, - "os_actor_process_instance_id": null, - "os_actor_process_image_path": null, - "os_actor_process_causality_id": null, - "os_actor_causality_id": null, - "dst_agent_id": null, - "dst_causality_actor_process_execution_time": null, - "dst_action_external_hostname": null, - "dst_action_country": null, - "dst_action_external_port": null, - "is_pcap": false, - "image_id": null, - "container_name": null, - "namespace": null, - "alert_type": "Unclassified", - "resolution_status": "STATUS_020_UNDER_INVESTIGATION", - "resolution_comment": null, - "dynamic_fields": null, - "tags": "DS:PANW/XDR Agent", - "malicious_urls": null, - "dss_job_title": null, - "dss_department": null, - "dss_country": null, - "dss_groups": null, - "alert_id": "50023290705", - "detection_timestamp": 1706540499609, - "name": "Behavioral Threat", - "category": "Malware", - "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", - "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", - "host_ip": "8.8.8.8", - "host_name": "hostname", - "source": "XDR Agent", - "action": "REPORTED", - "action_pretty": "Detected (Reported)", - "user_name": null, - "events_length": 1, - "original_tags": "AS:PANE/XDR Agent" - } - ] - } -} + "reply": { + "total_count": 1000, + "result_count": 100, + "alerts": [ + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + }, + { + "agent_os_sub_type": "6.3.420", + "fw_app_category": null, + "fw_app_id": null, + "fw_app_subcategory": null, + "fw_app_technology": null, + "causality_actor_process_command_line": null, + "causality_actor_process_image_md5": null, + "causality_actor_process_image_name": null, + "causality_actor_process_image_path": null, + "causality_actor_process_image_sha256": null, + "causality_actor_process_signature_status": "N/A", + "causality_actor_process_signature_vendor": null, + "causality_actor_causality_id": null, + "identity_sub_type": null, + "identity_type": null, + "operation_name": null, + "project": null, + "cloud_provider": null, + "referenced_resource": null, + "resource_sub_type": null, + "resource_type": null, + "cluster_name": null, + "container_id": null, + "contains_featured_host": "NO", + "contains_featured_ip": "NO", + "contains_featured_user": "NO", + "action_country": "UNKNOWN", + "fw_interface_to": null, + "dns_query_name": null, + "agent_device_domain": "attractions.conor.com", + "fw_email_recipient": null, + "fw_email_sender": null, + "fw_email_subject": null, + "event_type": null, + "is_whitelisted": false, + "action_file_macro_sha256": null, + "action_file_md5": null, + "action_file_name": null, + "action_file_path": null, + "action_file_sha256": null, + "fw_device_name": null, + "fw_rule_id": null, + "fw_rule": null, + "fw_serial_number": null, + "agent_fqdn": "FL-ATR-DC3-04.attractions.disney.com", + "mac": "2001:db8:1:1:1:1:1:1", + "agent_os_type": "Windows", + "image_name": null, + "actor_process_image_name": "8.8.8.8", + "actor_process_command_line": null, + "actor_process_image_md5": null, + "actor_process_image_path": null, + "actor_process_os_pid": null, + "actor_process_image_sha256": null, + "actor_process_signature_status": "N/A", + "actor_process_signature_vendor": null, + "actor_thread_thread_id": null, + "fw_is_phishing": "N/A", + "action_local_ip": null, + "action_local_port": null, + "fw_misc": null, + "mitre_tactic_id_and_name": "TA0007 - Discovery", + "mitre_technique_id_and_name": "T1012 - Query Registry", + "module_id": "Behavioral Threat Protection", + "fw_vsys": null, + "os_actor_process_command_line": null, + "os_actor_thread_thread_id": null, + "os_actor_process_image_name": null, + "os_actor_process_os_pid": null, + "os_actor_process_image_sha256": null, + "os_actor_process_signature_status": "N/A", + "os_actor_process_signature_vendor": null, + "os_actor_effective_username": null, + "action_process_signature_status": "N/A", + "action_process_signature_vendor": null, + "action_registry_data": null, + "action_registry_full_key": null, + "action_external_hostname": null, + "action_remote_ip": "8.8.8.8", + "action_remote_port": null, + "matching_service_rule_id": null, + "fw_interface_from": null, + "starred": false, + "action_process_image_command_line": null, + "action_process_image_name": null, + "action_process_image_sha256": null, + "fw_url_domain": null, + "user_agent": null, + "fw_xff": null, + "alert_domain": "DOMAIN_SECURITY", + "external_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "severity": "high", + "matching_status": "MATCHED", + "end_match_attempt_ts": null, + "local_insert_ts": 1706539597503, + "last_modified_ts": 1706539706370, + "bioc_indicator": null, + "attempt_counter": 0, + "bioc_category_enum_key": null, + "case_id": 391722, + "deduplicate_tokens": null, + "filter_rule_id": null, + "agent_version": "8.8.8.8", + "agent_ip_addresses_v6": null, + "agent_data_collection_status": false, + "agent_is_vdi": false, + "agent_install_type": "STANDARD", + "agent_host_boot_time": null, + "event_sub_type": null, + "association_strength": 50, + "dst_association_strength": null, + "story_id": null, + "event_id": null, + "event_timestamp": 1706540499609, + "actor_process_instance_id": null, + "actor_process_causality_id": null, + "actor_causality_id": null, + "causality_actor_process_execution_time": null, + "action_registry_key_name": null, + "action_registry_value_name": null, + "action_local_ip_v6": null, + "action_remote_ip_v6": null, + "action_process_instance_id": null, + "action_process_causality_id": null, + "os_actor_process_instance_id": null, + "os_actor_process_image_path": null, + "os_actor_process_causality_id": null, + "os_actor_causality_id": null, + "dst_agent_id": null, + "dst_causality_actor_process_execution_time": null, + "dst_action_external_hostname": null, + "dst_action_country": null, + "dst_action_external_port": null, + "is_pcap": false, + "image_id": null, + "container_name": null, + "namespace": null, + "alert_type": "Unclassified", + "resolution_status": "STATUS_020_UNDER_INVESTIGATION", + "resolution_comment": null, + "dynamic_fields": null, + "tags": "DS:PANW/XDR Agent", + "malicious_urls": null, + "dss_job_title": null, + "dss_department": null, + "dss_country": null, + "dss_groups": null, + "alert_id": "50023290705", + "detection_timestamp": 1706540499609, + "name": "Behavioral Threat", + "category": "Malware", + "endpoint_id": "9de5069c5afe602b2ea0a04b66beb2c0", + "description": "Behavioral threat detected (rule: sync.query_ntdsdit_vssadmin_remote)", + "host_ip": "8.8.8.8", + "host_name": "hostname", + "source": "XDR Agent", + "action": "REPORTED", + "action_pretty": "Detected (Reported)", + "user_name": null, + "events_length": 1, + "original_tags": "AS:PANE/XDR Agent" + } + ] + } +} \ No newline at end of file