{ "_index": "logstash-dns-2022.09.11", "_type": "_doc", "_id": "JgryLYMBfTCdXV7amCF8", "_version": 1, "_score": null, "_source": { "input": { "type": "log" }, "proto": "UDP", "log": { "offset": 1321241975, "file": { "path": "/var/log/suricata/eve-0.json" } }, "src_port": 60641, "see_id": "2e2cf4a77cbd", "hostname_info": { "domain": "penso.com.br", "url": "zimbra.penso.com.br", "host": "zimbra.penso.com.br", "domain_without_tld": "penso", "tld": "com.br", "subdomain": "zimbra" }, "src_ip": "10.0.0.115", "net_info": { "dest_agg": "user.rlsyn.org.affected-users", "dest": [ "USER.rlsyn.org", "AFFECTED USERS" ] }, "@version": "1", "@timestamp": "2022-09-11T19:07:00.776Z", "ether": { "dest_mac": "a4:1f:72:c2:09:6a", "src_mac": "00:08:02:1c:47:ae" }, "host": "SSProbe-1", "ecs": { "version": "1.12.0" }, "dest_port": 53, "type": "json-log", "tags": [ "beats_input_codec_json_applied" ], "timestamp": "2022-09-11T21:07:00.776306+0200", "dns": { "version": 2, "rcode": "NOERROR", "id": 11099, "type": "answer", "ra": true, "qr": true, "flags": "8180", "grouped": { "A": [ "200.219.235.43" ] }, "rrname": "zimbra.penso.com.br", "rrtype": "A", "rd": true }, "see_name": "stamus-central-server", "dest_ip": "10.0.0.10", "event_type": "dns", "agent": { "version": "7.16.1", "hostname": "SSProbe-1", "id": "9f305fa4-6db1-485c-81f9-598dce1469e3", "type": "filebeat", "ephemeral_id": "da6efa0f-f749-4bb3-8918-c3514cb604ff", "name": "SSProbe-1" }, "in_iface": "tppdummy0", "flow_id": 1216984001947685 }, "fields": { "@timestamp": [ "2022-09-11T19:07:00.776Z" ], "EveBox": [ 1216984001947685 ], "timestamp": [ "2022-09-11T19:07:00.776Z" ] }, "sort": [ 1662923220776 ] }