{ "_index": "logstash-fileinfo-2023.11.14", "_type": "_doc", "_id": "3uPQzYsBmjVXQHqtxhFQ", "_version": 1, "_score": 1, "_source": { "event_type": "fileinfo", "net_info": { "src": [ "Internet" ], "dest_agg": "private-class-a.internet", "dest": [ "Private class A", "Internet" ], "src_agg": "internet" }, "dest_ip": "10.3.6.131", "src_port": 445, "app_proto": "smb", "fileinfo": { "sid": [], "magic": "PE32 executable (GUI) Intel 80386, for MS Windows", "tx_id": 7, "stored": false, "size": 118784, "state": "CLOSED", "filename": "server.exe", "sha256": "175e4eeee006e4a53a72819eaeae4f758f149923932960f59a9f3468f8e2173f", "mimetype": "application/x-executable", "gaps": false, "type": "PE32 executable (GUI) Intel 80386" }, "ether": { "dest_mac": "00:02:b3:f3:2e:a2", "src_mac": "00:14:1b:86:6b:7e" }, "flow_id": 1971704019427313, "@version": "1", "dest_port": 49859, "timestamp": "2023-11-14T13:33:59.392673+0100", "input": { "type": "log" }, "smb": { "status": "STATUS_SUCCESS", "tree_id": 2116061364, "id": 8, "ext_status": { "customer": 0, "text": "STATUS_SUCCESS", "short_code": "0x0", "facility": "UNDEFINED", "severity": "SUCCESS" }, "dialect": "3.11", "status_code": "0x0", "filename": "server.exe", "share": "\\\\46.8.19.163\\mise", "session_id": 4262751349, "command": "SMB2_COMMAND_READ", "fuid": "dbc41dbd-0000-0000-6fd8-484c00000000" }, "type": "json-log", "in_iface": "tppdummy0", "see_id": "6c2b59a0d0f2", "see_name": "STS-500-QALAB-SSP", "proto": "TCP", "agent": { "hostname": "discord-probe", "id": "9f305fa4-6db1-485c-81f9-598dce1469e3", "name": "discord-probe", "version": "7.17.10", "type": "filebeat", "ephemeral_id": "f52d24b5-59cf-42fb-9aeb-cde609212624" }, "host": "discord-probe", "@timestamp": "2023-11-14T12:33:59.392Z", "tags": [ "beats_input_codec_json_applied" ], "src_ip": "46.8.19.163", "logger": "logstash-manager", "log": { "file": { "path": "/var/log/suricata/eve-0.json" }, "offset": 1589726462 }, "tenant": 9 }, "fields": { "agent.version.keyword": [ "7.17.10" ], "smb.ext_status.text": [ "STATUS_SUCCESS" ], "smb.ext_status.short_code.raw": [ "0x0" ], "smb.ext_status.severity": [ "SUCCESS" ], "smb.fuid.raw": [ "dbc41dbd-0000-0000-6fd8-484c00000000" ], "logger": [ "logstash-manager" ], "fileinfo.sha256.raw": [ "175e4eeee006e4a53a72819eaeae4f758f149923932960f59a9f3468f8e2173f" ], "type": [ "json-log" ], "proto.raw": [ "TCP" ], "smb.dialect.raw": [ "3.11" ], "smb.ext_status.short_code.keyword": [ "0x0" ], "event_type": [ "fileinfo" ], "smb.status.keyword": [ "STATUS_SUCCESS" ], "in_iface.raw": [ "tppdummy0" ], "smb.ext_status.text.keyword": [ "STATUS_SUCCESS" ], "agent.name": [ "discord-probe" ], "EveBox": [ 1971704019427313 ], "ether.src_mac": [ "00:14:1b:86:6b:7e" ], "tenant": [ 9 ], "smb.ext_status.customer": [ 0 ], "net_info.src.raw": [ "Internet" ], "smb.share.keyword": [ "\\\\46.8.19.163\\mise" ], "smb.filename": [ "server.exe" ], "agent.id.keyword": [ "9f305fa4-6db1-485c-81f9-598dce1469e3" ], "fileinfo.sha256.keyword": [ "175e4eeee006e4a53a72819eaeae4f758f149923932960f59a9f3468f8e2173f" ], "smb.ext_status.facility": [ "UNDEFINED" ], "input.type": [ "log" ], "agent.hostname": [ "discord-probe" ], "tags": [ "beats_input_codec_json_applied" ], "net_info.src_agg": [ "internet" ], "fileinfo.type.raw": [ "PE32 executable (GUI) Intel 80386" ], "smb.ext_status.text.raw": [ "STATUS_SUCCESS" ], "smb.fuid": [ "dbc41dbd-0000-0000-6fd8-484c00000000" ], "see_name": [ "STS-500-QALAB-SSP" ], "net_info.dest_agg": [ "private-class-a.internet" ], "agent.id": [ "9f305fa4-6db1-485c-81f9-598dce1469e3" ], "net_info.dest": [ "Private class A", "Internet" ], "dest_ip": [ "10.3.6.131" ], "agent.id.raw": [ "9f305fa4-6db1-485c-81f9-598dce1469e3" ], "smb.filename.raw": [ "server.exe" ], "agent.hostname.raw": [ "discord-probe" ], "smb.ext_status.severity.raw": [ "SUCCESS" ], "fileinfo.type": [ "PE32 executable (GUI) Intel 80386" ], "input.type.keyword": [ "log" ], "tags.keyword": [ "beats_input_codec_json_applied" ], "fileinfo.filename.keyword": [ "server.exe" ], "see_id.raw": [ "6c2b59a0d0f2" ], "net_info.dest.keyword": [ "Private class A", "Internet" ], "fileinfo.mimetype": [ "application/x-executable" ], "in_iface.keyword": [ "tppdummy0" ], "agent.type": [ "filebeat" ], "logger.raw": [ "logstash-manager" ], "fileinfo.filename": [ "server.exe" ], "ether.src_mac.raw": [ "00:14:1b:86:6b:7e" ], "ether.src_mac.keyword": [ "00:14:1b:86:6b:7e" ], "app_proto.raw": [ "smb" ], "smb.session_id": [ "4262751349" ], "agent.name.raw": [ "discord-probe" ], "timestamp": [ "2023-11-14T12:33:59.392Z" ], "agent.type.keyword": [ "filebeat" ], "agent.ephemeral_id.keyword": [ "f52d24b5-59cf-42fb-9aeb-cde609212624" ], "agent.name.keyword": [ "discord-probe" ], "net_info.dest_agg.raw": [ "private-class-a.internet" ], "fileinfo.state.raw": [ "CLOSED" ], "fileinfo.state.keyword": [ "CLOSED" ], "agent.ephemeral_id.raw": [ "f52d24b5-59cf-42fb-9aeb-cde609212624" ], "agent.type.raw": [ "filebeat" ], "smb.fuid.keyword": [ "dbc41dbd-0000-0000-6fd8-484c00000000" ], "@timestamp": [ "2023-11-14T12:33:59.392Z" ], "net_info.dest_agg.keyword": [ "private-class-a.internet" ], "log.file.path": [ "/var/log/suricata/eve-0.json" ], "fileinfo.filename.raw": [ "server.exe" ], "agent.ephemeral_id": [ "f52d24b5-59cf-42fb-9aeb-cde609212624" ], "fileinfo.size": [ 118784 ], "see_id": [ "6c2b59a0d0f2" ], "smb.share": [ "\\\\46.8.19.163\\mise" ], "fileinfo.mimetype.raw": [ "application/x-executable" ], "ether.dest_mac.keyword": [ "00:02:b3:f3:2e:a2" ], "net_info.src_agg.keyword": [ "internet" ], "smb.ext_status.short_code": [ "0x0" ], "fileinfo.tx_id": [ 7 ], "agent.hostname.keyword": [ "discord-probe" ], "see_id.keyword": [ "6c2b59a0d0f2" ], "smb.command.keyword": [ "SMB2_COMMAND_READ" ], "smb.share.raw": [ "\\\\46.8.19.163\\mise" ], "proto.keyword": [ "TCP" ], "type.keyword": [ "json-log" ], "flow_id": [ 1971704019427313 ], "see_name.keyword": [ "STS-500-QALAB-SSP" ], "fileinfo.gaps": [ false ], "host": [ "discord-probe" ], "fileinfo.type.keyword": [ "PE32 executable (GUI) Intel 80386" ], "smb.status_code": [ "0x0" ], "smb.status_code.keyword": [ "0x0" ], "host.keyword": [ "discord-probe" ], "smb.status_code.raw": [ "0x0" ], "dest_port": [ 49859 ], "agent.version.raw": [ "7.17.10" ], "tags.raw": [ "beats_input_codec_json_applied" ], "smb.status.raw": [ "STATUS_SUCCESS" ], "fileinfo.state": [ "CLOSED" ], "log.offset": [ 1589726462 ], "input.type.raw": [ "log" ], "smb.ext_status.severity.keyword": [ "SUCCESS" ], "app_proto.keyword": [ "smb" ], "dest_ip.keyword": [ "10.3.6.131" ], "smb.command.raw": [ "SMB2_COMMAND_READ" ], "logger.keyword": [ "logstash-manager" ], "proto": [ "TCP" ], "log.file.path.raw": [ "/var/log/suricata/eve-0.json" ], "agent.version": [ "7.17.10" ], "ether.dest_mac.raw": [ "00:02:b3:f3:2e:a2" ], "smb.session_id.raw": [ "4262751349" ], "see_name.raw": [ "STS-500-QALAB-SSP" ], "fileinfo.magic.raw": [ "PE32 executable (GUI) Intel 80386, for MS Windows" ], "net_info.src": [ "Internet" ], "smb.filename.keyword": [ "server.exe" ], "ether.dest_mac": [ "00:02:b3:f3:2e:a2" ], "event_type.keyword": [ "fileinfo" ], "smb.dialect.keyword": [ "3.11" ], "fileinfo.mimetype.keyword": [ "application/x-executable" ], "smb.dialect": [ "3.11" ], "src_ip": [ "46.8.19.163" ], "fileinfo.stored": [ false ], "net_info.src_agg.raw": [ "internet" ], "@version": [ "1" ], "smb.status": [ "STATUS_SUCCESS" ], "src_ip.keyword": [ "46.8.19.163" ], "log.file.path.keyword": [ "/var/log/suricata/eve-0.json" ], "net_info.dest.raw": [ "Private class A", "Internet" ], "smb.ext_status.facility.keyword": [ "UNDEFINED" ], "host.raw": [ "discord-probe" ], "smb.command": [ "SMB2_COMMAND_READ" ], "type.raw": [ "json-log" ], "smb.id": [ 8 ], "dest_ip.raw": [ "10.3.6.131" ], "app_proto": [ "smb" ], "fileinfo.sha256": [ "175e4eeee006e4a53a72819eaeae4f758f149923932960f59a9f3468f8e2173f" ], "fileinfo.magic": [ "PE32 executable (GUI) Intel 80386, for MS Windows" ], "net_info.src.keyword": [ "Internet" ], "in_iface": [ "tppdummy0" ], "src_port": [ 445 ], "src_ip.raw": [ "46.8.19.163" ], "event_type.raw": [ "fileinfo" ], "smb.tree_id": [ 2116061364 ], "fileinfo.magic.keyword": [ "PE32 executable (GUI) Intel 80386, for MS Windows" ], "smb.ext_status.facility.raw": [ "UNDEFINED" ] } }