{ "_index": "logstash-fileinfo-2023.11.14", "_type": "_doc", "_id": "LO3RzYsBmjVXQHqtljnT", "_version": 1, "_score": 1, "_source": { "event_type": "fileinfo", "net_info": { "src": [ "Private class B", "Internet" ], "dest_agg": "internet", "dest": [ "Internet" ], "src_agg": "private-class-b.internet" }, "dest_ip": "54.144.214.6", "src_port": 64234, "app_proto": "smtp", "fileinfo": { "sid": [], "magic": "Zip archive data, at least v?[0x314] to extract", "tx_id": 0, "stored": false, "size": 640031, "state": "CLOSED", "filename": "Recourse Communications, Inc.zip", "sha256": "fdc9ddddb1a6478db87cc46da107bbe5658f2357d8e8c5a292ac2e03f1f51c41", "mimetype": "application/zip", "gaps": false, "type": "Zip archive data" }, "ether": { "dest_mac": "00:0b:46:93:86:da", "src_mac": "00:02:fb:34:b4:fa" }, "flow_id": 1654827800928204, "@version": "1", "dest_port": 587, "timestamp": "2023-11-14T13:34:53.710459+0100", "input": { "type": "log" }, "type": "json-log", "smtp": { "helo": "[127.0.0.1]", "mail_from": "", "rcpt_to": [ "" ] }, "in_iface": "tppdummy0", "see_id": "6c2b59a0d0f2", "see_name": "STS-500-QALAB-SSP", "proto": "TCP", "app_proto_tc": "failed", "agent": { "hostname": "discord-probe", "id": "9f305fa4-6db1-485c-81f9-598dce1469e3", "name": "discord-probe", "version": "7.17.10", "type": "filebeat", "ephemeral_id": "f52d24b5-59cf-42fb-9aeb-cde609212624" }, "host": "discord-probe", "@timestamp": "2023-11-14T12:34:53.710Z", "tags": [ "beats_input_codec_json_applied" ], "src_ip": "172.16.1.137", "logger": "logstash-manager", "email": { "status": "BODY_END_BOUND", "from": "\"Michael Moore (Recourse Communications, Inc)\" ", "url": [ "https://www.rciars.com/media/rcisolutions/client/rci_tagline_cmyk.png", "https://www.rciars.com" ], "attachment": [ "Recourse Communications, Inc.zip" ], "to": [ "\"\" " ] }, "log": { "file": { "path": "/var/log/suricata/eve-0.json" }, "offset": 1591006315 }, "tenant": 9 }, "fields": { "agent.version.keyword": [ "7.17.10" ], "smtp.mail_from.keyword": [ "" ], "email.status": [ "BODY_END_BOUND" ], "email.status.keyword": [ "BODY_END_BOUND" ], "smtp.mail_from.raw": [ "" ], "logger": [ "logstash-manager" ], "fileinfo.sha256.raw": [ "fdc9ddddb1a6478db87cc46da107bbe5658f2357d8e8c5a292ac2e03f1f51c41" ], "type": [ "json-log" ], "proto.raw": [ "TCP" ], "smtp.helo": [ "[127.0.0.1]" ], "event_type": [ "fileinfo" ], "in_iface.raw": [ "tppdummy0" ], "email.to.raw": [ "\"\" " ], "agent.name": [ "discord-probe" ], "EveBox": [ 1654827800928204 ], "ether.src_mac": [ "00:02:fb:34:b4:fa" ], "tenant": [ 9 ], "net_info.src.raw": [ "Private class B", "Internet" ], "agent.id.keyword": [ "9f305fa4-6db1-485c-81f9-598dce1469e3" ], "app_proto_tc.keyword": [ "failed" ], "fileinfo.sha256.keyword": [ "fdc9ddddb1a6478db87cc46da107bbe5658f2357d8e8c5a292ac2e03f1f51c41" ], "input.type": [ "log" ], "agent.hostname": [ "discord-probe" ], "tags": [ "beats_input_codec_json_applied" ], "net_info.src_agg": [ "private-class-b.internet" ], "fileinfo.type.raw": [ "Zip archive data" ], "see_name": [ "STS-500-QALAB-SSP" ], "net_info.dest_agg": [ "internet" ], "agent.id": [ "9f305fa4-6db1-485c-81f9-598dce1469e3" ], "net_info.dest": [ "Internet" ], "dest_ip": [ "54.144.214.6" ], "agent.id.raw": [ "9f305fa4-6db1-485c-81f9-598dce1469e3" ], "email.status.raw": [ "BODY_END_BOUND" ], "agent.hostname.raw": [ "discord-probe" ], "fileinfo.type": [ "Zip archive data" ], "input.type.keyword": [ "log" ], "tags.keyword": [ "beats_input_codec_json_applied" ], "fileinfo.filename.keyword": [ "Recourse Communications, Inc.zip" ], "see_id.raw": [ "6c2b59a0d0f2" ], "smtp.helo.raw": [ "[127.0.0.1]" ], "net_info.dest.keyword": [ "Internet" ], "email.url": [ "https://www.rciars.com/media/rcisolutions/client/rci_tagline_cmyk.png", "https://www.rciars.com" ], "fileinfo.mimetype": [ "application/zip" ], "in_iface.keyword": [ "tppdummy0" ], "email.to": [ "\"\" " ], "agent.type": [ "filebeat" ], "logger.raw": [ "logstash-manager" ], "fileinfo.filename": [ "Recourse Communications, Inc.zip" ], "ether.src_mac.raw": [ "00:02:fb:34:b4:fa" ], "ether.src_mac.keyword": [ "00:02:fb:34:b4:fa" ], "app_proto.raw": [ "smtp" ], "smtp.rcpt_to.raw": [ "" ], "email.from": [ "\"Michael Moore (Recourse Communications, Inc)\" " ], "app_proto_tc.raw": [ "failed" ], "agent.name.raw": [ "discord-probe" ], "smtp.mail_from": [ "" ], "timestamp": [ "2023-11-14T12:34:53.710Z" ], "agent.type.keyword": [ "filebeat" ], "agent.ephemeral_id.keyword": [ "f52d24b5-59cf-42fb-9aeb-cde609212624" ], "agent.name.keyword": [ "discord-probe" ], "email.url.keyword": [ "https://www.rciars.com/media/rcisolutions/client/rci_tagline_cmyk.png", "https://www.rciars.com" ], "net_info.dest_agg.raw": [ "internet" ], "app_proto_tc": [ "failed" ], "email.attachment.keyword": [ "Recourse Communications, Inc.zip" ], "fileinfo.state.raw": [ "CLOSED" ], "fileinfo.state.keyword": [ "CLOSED" ], "agent.ephemeral_id.raw": [ "f52d24b5-59cf-42fb-9aeb-cde609212624" ], "email.from.keyword": [ "\"Michael Moore (Recourse Communications, Inc)\" " ], "agent.type.raw": [ "filebeat" ], "@timestamp": [ "2023-11-14T12:34:53.710Z" ], "email.attachment": [ "Recourse Communications, Inc.zip" ], "net_info.dest_agg.keyword": [ "internet" ], "log.file.path": [ "/var/log/suricata/eve-0.json" ], "fileinfo.filename.raw": [ "Recourse Communications, Inc.zip" ], "agent.ephemeral_id": [ "f52d24b5-59cf-42fb-9aeb-cde609212624" ], "fileinfo.size": [ 640031 ], "see_id": [ "6c2b59a0d0f2" ], "fileinfo.mimetype.raw": [ "application/zip" ], "ether.dest_mac.keyword": [ "00:0b:46:93:86:da" ], "smtp.rcpt_to.keyword": [ "" ], "net_info.src_agg.keyword": [ "private-class-b.internet" ], "fileinfo.tx_id": [ 0 ], "agent.hostname.keyword": [ "discord-probe" ], "see_id.keyword": [ "6c2b59a0d0f2" ], "proto.keyword": [ "TCP" ], "type.keyword": [ "json-log" ], "flow_id": [ 1654827800928204 ], "see_name.keyword": [ "STS-500-QALAB-SSP" ], "fileinfo.gaps": [ false ], "host": [ "discord-probe" ], "fileinfo.type.keyword": [ "Zip archive data" ], "email.attachment.raw": [ "Recourse Communications, Inc.zip" ], "email.from.raw": [ "\"Michael Moore (Recourse Communications, Inc)\" " ], "host.keyword": [ "discord-probe" ], "dest_port": [ 587 ], "agent.version.raw": [ "7.17.10" ], "tags.raw": [ "beats_input_codec_json_applied" ], "email.to.keyword": [ "\"\" " ], "fileinfo.state": [ "CLOSED" ], "log.offset": [ 1591006315 ], "input.type.raw": [ "log" ], "smtp.helo.keyword": [ "[127.0.0.1]" ], "app_proto.keyword": [ "smtp" ], "dest_ip.keyword": [ "54.144.214.6" ], "logger.keyword": [ "logstash-manager" ], "proto": [ "TCP" ], "log.file.path.raw": [ "/var/log/suricata/eve-0.json" ], "agent.version": [ "7.17.10" ], "ether.dest_mac.raw": [ "00:0b:46:93:86:da" ], "see_name.raw": [ "STS-500-QALAB-SSP" ], "fileinfo.magic.raw": [ "Zip archive data, at least v?[0x314] to extract" ], "net_info.src": [ "Private class B", "Internet" ], "ether.dest_mac": [ "00:0b:46:93:86:da" ], "event_type.keyword": [ "fileinfo" ], "fileinfo.mimetype.keyword": [ "application/zip" ], "src_ip": [ "172.16.1.137" ], "fileinfo.stored": [ false ], "net_info.src_agg.raw": [ "private-class-b.internet" ], "@version": [ "1" ], "src_ip.keyword": [ "172.16.1.137" ], "smtp.rcpt_to": [ "" ], "log.file.path.keyword": [ "/var/log/suricata/eve-0.json" ], "net_info.dest.raw": [ "Internet" ], "host.raw": [ "discord-probe" ], "type.raw": [ "json-log" ], "email.url.raw": [ "https://www.rciars.com/media/rcisolutions/client/rci_tagline_cmyk.png", "https://www.rciars.com" ], "dest_ip.raw": [ "54.144.214.6" ], "app_proto": [ "smtp" ], "fileinfo.sha256": [ "fdc9ddddb1a6478db87cc46da107bbe5658f2357d8e8c5a292ac2e03f1f51c41" ], "fileinfo.magic": [ "Zip archive data, at least v?[0x314] to extract" ], "net_info.src.keyword": [ "Private class B", "Internet" ], "in_iface": [ "tppdummy0" ], "src_port": [ 64234 ], "src_ip.raw": [ "172.16.1.137" ], "event_type.raw": [ "fileinfo" ], "fileinfo.magic.keyword": [ "Zip archive data, at least v?[0x314] to extract" ] } }