{ "_index": "logstash-smb_insights-2025.07.21", "_type": "_doc", "_id": "t-_-KpgBY5wsHhhkSCmf", "_version": 1, "_score": 1, "_source": { "@timestamp": "2025-07-21T03:01:39.940Z", "log": { "file": { "path": "/var/log/suricata/eve-nsm-1.json" }, "offset": 449046674 }, "input": { "type": "log" }, "logger": "logstash-manager", "type": "json-log", "uuid": "ac7d412b-8d4f-423f-b0ad-82aebb9e5311", "smb_insights": { "flags": { "missing_status": true }, "trackers": { "command": { "count": 12, "counters": { "SMB2_COMMAND_NEGOTIATE_PROTOCOL": 1, "SMB2_COMMAND_TREE_CONNECT": 3, "SMB2_COMMAND_TREE_DISCONNECT": 2, "SMB2_COMMAND_SESSION_SETUP": 2, "SMB2_COMMAND_WRITE": 13, "SMB2_COMMAND_CLOSE": 55, "SMB1_COMMAND_NEGOTIATE_PROTOCOL": 1, "SMB2_COMMAND_FIND": 42, "SMB2_COMMAND_CANCEL": 6, "SMB2_COMMAND_CHANGE_NOTIFY": 9, "SMB2_COMMAND_CREATE": 63, "SMB2_COMMAND_IOCTL": 31 }, "uniq": [ "SMB2_COMMAND_CANCEL", "SMB1_COMMAND_NEGOTIATE_PROTOCOL", "SMB2_COMMAND_CREATE", "SMB2_COMMAND_IOCTL", "SMB2_COMMAND_CLOSE", "SMB2_COMMAND_NEGOTIATE_PROTOCOL", "SMB2_COMMAND_SESSION_SETUP", "SMB2_COMMAND_TREE_CONNECT", "SMB2_COMMAND_WRITE", "SMB2_COMMAND_FIND", "SMB2_COMMAND_CHANGE_NOTIFY", "SMB2_COMMAND_TREE_DISCONNECT" ] }, "dcerpc_endpoint": { "count": 19, "counters": { "NetrShareGetInfo": 1, "SamrEnumerateDomainsInSamServer": 1, "SamrGetAliasMembership": 1, "SamrQuerySecurityObject": 1, "LsarClose": 2, "DsRolerGetPrimaryDomainInformation": 3, "SamrCloseHandle": 4, "LsarOpenPolicy2": 3, "SamrLookupDomainInSamServer": 1, "SamrConnect5": 1, "LsarQueryInformationPolicy": 1, "SamrGetGroupsForUser": 1, "SamrOpenDomain": 2, "NetrServerGetInfo": 1, "SamrQueryInformationUser": 1, "LsarLookupSids2": 2, "SamrLookupNamesInDomain": 1, "SamrOpenUser": 1, "SamrConnect": 1 }, "uniq": [ "SamrCloseHandle", "LsarOpenPolicy2", "LsarClose", "SamrConnect5", "SamrLookupDomainInSamServer", "SamrOpenDomain", "SamrConnect", "NetrShareGetInfo", "SamrQuerySecurityObject", "SamrGetGroupsForUser", "NetrServerGetInfo", "DsRolerGetPrimaryDomainInformation", "LsarQueryInformationPolicy", "SamrEnumerateDomainsInSamServer", "SamrLookupNamesInDomain", "SamrOpenUser", "LsarLookupSids2", "SamrQueryInformationUser", "SamrGetAliasMembership" ] }, "mime_type": { "count": 0 }, "function": { "count": 2, "uniq": [ "FSCTL_SRV_ENUMERATE_SNAPSHOTS", "FSCTL_DFS_GET_REFERRALS" ] }, "ntlmssp_host": { "count": 1, "uniq": [ "LAPTOP-7656VJQM" ] }, "filename": { "count": 19, "uniq": [ "Jolly Molly\\04_Analysis", "wkssvc", "lsarpc", "", "srvsvc", "desktop.ini", "Jolly Molly\\07_ORDERS", "Jolly Molly\\01_S2\\Ordering\\Order Approval List 20 + Intel requests (2).xlsx", "Jolly Molly\\02_S3\\BC table2_20200120.htm", "Jolly Molly\\02_S3\\BDF DW FragO\\211240AN20-FG23-FRAGO-005-INFORMATION_COLLECTION.doc", "Jolly Molly\\02_S3\\BC table2_20200120_files\\sheet001.htm", "Jolly Molly\\02_S3\\BC table2_20200120_files\\stylesheet.css", "Jolly Molly\\02_S3\\BC table2_20200120_files\\tabstrip.htm", "samr", "Jolly Molly", "Jolly Molly\\06_COS", "Jolly Molly\\02_S3\\BC table2_20200120_files\\filelist.xml", "Jolly Molly\\07_ORDERS\\211240AN20-FG23-FRAGO-005-INFORMATION_COLLECTION.doc", "Jolly Molly\\desktop.ini" ] }, "named_pipe": { "count": 1, "counters": { "\\\\share.bf.network\\IPC$": 2 }, "uniq": [ "\\\\share.bf.network\\IPC$" ] }, "ntlmssp_user": { "count": 1, "uniq": [ "cycom" ] }, "status": { "count": 8, "counters": { "STATUS_PENDING": 8, "STATUS_INVALID_DEVICE_REQUEST": 1, "STATUS_NO_MORE_FILES": 19, "STATUS_OBJECT_NAME_NOT_FOUND": 2, "STATUS_SUCCESS": 181, "STATUS_MORE_PROCESSING_REQUIRED": 1, "STATUS_NOT_FOUND": 1, "STATUS_PRIVILEGE_NOT_HELD": 2 }, "uniq": [ "STATUS_SUCCESS", "STATUS_MORE_PROCESSING_REQUIRED", "STATUS_NOT_FOUND", "STATUS_OBJECT_NAME_NOT_FOUND", "STATUS_NO_MORE_FILES", "STATUS_PENDING", "STATUS_PRIVILEGE_NOT_HELD", "STATUS_INVALID_DEVICE_REQUEST" ] }, "kerberos_realm": { "count": 0 }, "ntlmssp_domain": { "count": 1, "uniq": [ "MicrosoftAccount" ] }, "kerberos_sname": { "count": 0 }, "flowbits": { "count": 1, "uniq": [ "ET.smbdcerpc.endians" ] }, "share": { "count": 1, "counters": { "\\\\share.bf.network\\icecream$": 1 }, "uniq": [ "\\\\share.bf.network\\icecream$" ] } }, "first_seen": "2025-07-21T05:01:39.940401+0200", "events": 228, "last_seen": "2025-07-21T05:11:44.216095+0200" }, "timestamp": "2025-07-21T05:01:39.940401+02:00", "agent": { "name": "deciso1", "type": "filebeat", "hostname": "deciso1", "ephemeral_id": "4949e496-0776-4f1a-91d2-ec2ba5e3f6c6", "version": "7.17.29", "id": "9f305fa4-6db1-485c-81f9-598dce1469e3" }, "see_id": "6c2b59a0d0f2", "src_ip": "10.107.124.33", "host": "deciso1", "tenant": 4, "see_name": "STS-500-QALAB-SSP", "tags": [ "beats_input_codec_json_applied" ], "dest_ip": "100.64.32.60", "event_type": "smb_insights", "flow_id": 875522548889730, "@version": "1" } }