{
  "@version": "1",
  "payload_printable": "....g...c...,.....^...*..T..w\nytm..d.f...WZ .X,.rQw$.$8p........m.@.pX...q... zz.......+./.,.0............./.5.........\r..................................#..Di.....h2.......h2.http/1.1.............bzib.nelreports.net..............\n.\n..**.......+...\n\n.....-.....3.+.)**...... ....N+.,.7....m..I.~&..4S?T....S...........).+......w...@.-;*(.4.H......)...sn..4.+[(.h.o..w,...V.i..%...H..x.4.J..}=..'..@h...g//./.\r.j...rcSy.]....9Vw...\n...Y.y.....d8.W..*.N...9;e..\n..%La]..l.=.@.G.k....t............G.{UHH:C....)%..eCW.K....)...\\\n!..3......7...g........[.bG..o.........*0.b..10....V.d..gZ3.8.HX{d..5.{<..au.M..S............oH",
  "src_ip": "10.6.22.101",
  "stream": 1,
  "net_info": {},
  "geoip": {
    "registered_country": {
      "name": "United States",
      "geoname_id": 6252001,
      "iso_code": "US"
    },
    "country_name": "United States",
    "country": {
      "name": "United States",
      "geoname_id": 6252001,
      "iso_code": "US"
    },
    "provider": {
      "autonomous_system_number": 24835,
      "autonomous_system_organization": "RAYA Telecom - Egypt"
    },
    "country_code2": "US",
    "timezone": "",
    "longitude": -97.822,
    "country_code3": "US",
    "latitude": 37.751,
    "continent_code": "NA",
    "coordinate": [
      -97.822,
      37.751
    ],
    "ip": "23.218.232.190",
    "location": {
      "lat": 37.751,
      "lon": -97.822
    },
    "continent": {
      "name": "North America",
      "geoname_id": 6255149,
      "code": "NA"
    }
  },
  "type": "json-log",
  "dest_port": 443,
  "app_proto": "tls",
  "agent": {
    "type": "filebeat",
    "id": "9f305fa4-6db1-485c-81f9-598dce1469e3",
    "hostname": "SSProbe-1",
    "version": "7.17.10",
    "name": "SSProbe-1",
    "ephemeral_id": "1809c2b3-d613-46fb-8315-a136a6e88b06"
  },
  "payload": "FgMBAmcBAAJjAwOGLIsBi6cCXhTQkyrNG1So4ncKeXRtnZdk0Gad17NXWiDqWCzpclF3JN8kOHD/upqTp8yZvm3BQI5wWJ8bz3H3pwAgenoTARMCEwPAK8AvwCzAMMypzKjAE8AUAJwAnQAvADUBAAH62toAAAANABIAEAQDCAQEAQUDCAUFAQgGBgEAGwADAgACAAsAAgEAACMAAERpAAUAAwJoMgAQAA4ADAJoMghodHRwLzEuMQAXAAAAAAAYABYAABNiemliLm5lbHJlcG9ydHMubmV0AAUABQEAAAAAABIAAAAKAAoACCoqAB0AFwAYACsABwYKCgMEAwMALQACAQEAMwArACkqKgABAAAdACDHxQ8eTivtLBg3/5bcpG3dqUmzfiakqjRTP1Se4tkUU/8BAAEAiooAAQAAKQErAPYA8AAAd5suAEC+LTsqKLY0iEjuwqwa5uwp8vQUc27kpzSIK1so6GiQb/eodyyoHJ9WEGnQ8SWwysRIpL54gTTdShfafT2fHSeCDkBo7JUTZy8v6C/DDbVqEfvYcmNTedZdE67RtDlWd8CDsgoL+s5ZtnmP/BCDB2Q4hFeo5yoITvyXyDk7ZRX1CsbVJUxhXdTXbBA9tEDjRxBr9wK4sXT26AC4yB+ph6f3vrFHxntVSEg6Q7HrA8cpJY/lZUNX9kv9C+mhKYvVtlwKIReSM8EBsdvLkzf8wxZn3KOYrb2qsBxb4mJHtK5v+O7KEJbL1I8eKjCIYgUAMTAf2hHjVpZktQZnWjO0OJpIWHtk1QU1nns8/ZVhdbVNuIxTmrKdB8bYsL9/mYO9b0g=",
  "event_type": "alert",
  "src_port": 50863,
  "packet": "ANePBDapEB90zYzXCABFAAB46ylAAIAG7lIKBhZlF9rovsavAbuaXiYfdk7Cz1AY+eJnZwAAFAMDAAEBFwMDAEXvZ5+xl2YzE+PpR8gY402OMgGyju88ah3XmWDXC/h9pc5CiIl0DT5IqDg16+ajywYZsrePwP8kSM1uCwtXqfMEv3VWK60=",
  "flow_id": 1719152525671109,
  "capture_file": "/var/log/suricata/pcaps//log-1698375857-1.pcap",
  "host": "SSProbe-1",
  "tags": [
    "beats_input_codec_json_applied"
  ],
  "tx_id": 0,
  "@timestamp": "2023-10-27T03:08:22.669Z",
  "tls": {
    "cipher_security": "recommended",
    "cipher_suite": "TLS_AES_256_GCM_SHA384",
    "sni": "bzib.nelreports.net",
    "version": "TLS 1.3",
    "ja3": {
      "string": "771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,13-27-11-35-17513-16-23-0-5-18-10-43-45-51-65281-41,29-23-24,0",
      "hash": "48ef4c3ad5f4e3c8587a263929c2a451"
    },
    "ja3s": {
      "string": "771,4866,43-51-41",
      "hash": "2253c82f03b621c5144709b393fde2c9"
    }
  },
  "input": {
    "type": "log"
  },
  "proto": "TCP",
  "tenant": 21,
  "log": {
    "file": {
      "path": "/var/log/suricata/eve-discovery-0.json"
    },
    "offset": 198238308
  },
  "dest_ip": "23.218.232.190",
  "metadata": {
    "flowbits": [
      "stamus.sightings"
    ]
  },
  "alert": {
    "metadata": {
      "provider": [
        "Stamus"
      ],
      "sightings_key": [
        "tls.ja3.hash"
      ],
      "updated_at": [
        "2023_01_09"
      ],
      "stamus_classification": [
        "stamus_sightings"
      ],
      "sightings_asset": [
        "src_ip"
      ],
      "created_at": [
        "2022_01_25"
      ]
    },
    "source": {
      "ip": "23.218.232.190",
      "port": 443
    },
    "severity": 3,
    "rev": 2,
    "signature_id": 3120008,
    "category": "Unknown Traffic",
    "signature": "SN SIGHTINGS Newly discovered TLS JA3 clients not seen",
    "action": "allowed",
    "target": {
      "ip": "10.6.22.101",
      "port": 50863
    },
    "gid": 1
  },
  "hostname_info": {
    "domain_without_tld": "nelreports",
    "tld": "net",
    "subdomain": "bzib",
    "url": "bzib.nelreports.net",
    "host": "bzib.nelreports.net",
    "domain": "nelreports.net"
  },
  "timestamp": "2023-10-27T05:08:22.669012+0200",
  "alerted": true,
  "in_iface": "tppdummy0",
  "packet_info": {
    "linktype": 1
  },
  "discovery": {
    "asset_role": [],
    "key": "tls.ja3.hash",
    "asset": "10.6.22.101",
    "value": "48ef4c3ad5f4e3c8587a263929c2a451",
    "asset_net": null
  },
  "logger": "logstash-manager",
  "ether": {
    "src_mac": "10:1f:74:cd:8c:d7",
    "dest_mac": "00:d7:8f:04:36:a9"
  },
  "flow": {
    "start": "2023-10-27T05:08:22.662415+0200",
    "bytes_toclient": 436,
    "bytes_toserver": 928,
    "src_ip": "10.6.22.101",
    "pkts_toserver": 4,
    "pkts_toclient": 3,
    "src_port": 50863,
    "dest_ip": "23.218.232.190",
    "dest_port": 443
  },
  "_id": "2OYab4sB5E6z3zvuN_Kx"
}