diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index ba468c5a2d989..eff8c58a48b0d 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -87,6 +87,7 @@ /src/dev/ @elastic/kibana-operations /src/setup_node_env/ @elastic/kibana-operations /src/optimize/ @elastic/kibana-operations +/src/es_archiver/ @elastic/kibana-operations /packages/*eslint*/ @elastic/kibana-operations /packages/*babel*/ @elastic/kibana-operations /packages/kbn-dev-utils*/ @elastic/kibana-operations @@ -112,6 +113,7 @@ /src/legacy/server/logging/ @elastic/kibana-platform /src/legacy/server/saved_objects/ @elastic/kibana-platform /src/legacy/server/status/ @elastic/kibana-platform +/src/dev/run_check_core_api_changes.ts @elastic/kibana-platform # Security /src/core/server/csp/ @elastic/kibana-security @elastic/kibana-platform diff --git a/NOTICE.txt b/NOTICE.txt index 955c3127fa955..e0c5d94eff6b3 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -153,6 +153,40 @@ WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +--- +This product bundles rules based on https://github.com/BlueTeamLabs/sentinel-attack +which is available under a "MIT" license. The files based on this license are: + +- windows_defense_evasion_via_filter_manager.json +- windows_process_discovery_via_tasklist_command.json +- windows_priv_escalation_via_accessibility_features.json +- windows_persistence_via_application_shimming.json +- windows_execution_via_trusted_developer_utilities.json +- windows_execution_via_net_com_assemblies.json +- windows_execution_via_connection_manager.json + +MIT License + +Copyright (c) 2019 Edoardo Gerosa, Olaf Hartong + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies +of the Software, and to permit persons to whom the Software is furnished to do +so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + --- This product includes code that is adapted from mapbox-gl-js, which is available under a "BSD-3-Clause" license. diff --git a/docs/migration/migrate_8_0.asciidoc b/docs/migration/migrate_8_0.asciidoc index a36a93ce31825..df4d8a0b65ee7 100644 --- a/docs/migration/migrate_8_0.asciidoc +++ b/docs/migration/migrate_8_0.asciidoc @@ -80,4 +80,15 @@ specified explicitly. *Impact:* Any workflow that involved manually clearing generated bundles will have to be updated with the new path. + +[float] +[[breaking_80_reporting_changes]] +=== Reporting changes + +[float] +==== Legacy job parameters are no longer supported +*Details:* POST URL snippets that were copied in Kibana 6.2 or below are no longer supported. These logs have +been deprecated with warnings that have been logged throughout 7.x. Please use Kibana UI to re-generate the +POST URL snippets if you depend on these for automated PDF reports. + // end::notable-breaking-changes[] diff --git a/src/core/server/saved_objects/export/get_sorted_objects_for_export.test.ts b/src/core/server/saved_objects/export/get_sorted_objects_for_export.test.ts index 9a3449b65a941..fafa04447ddfe 100644 --- a/src/core/server/saved_objects/export/get_sorted_objects_for_export.test.ts +++ b/src/core/server/saved_objects/export/get_sorted_objects_for_export.test.ts @@ -108,8 +108,6 @@ describe('getSortedObjectsForExport()', () => { "namespace": undefined, "perPage": 500, "search": undefined, - "sortField": "_id", - "sortOrder": "asc", "type": Array [ "index-pattern", "search", @@ -256,8 +254,6 @@ describe('getSortedObjectsForExport()', () => { "namespace": undefined, "perPage": 500, "search": "foo", - "sortField": "_id", - "sortOrder": "asc", "type": Array [ "index-pattern", "search", @@ -345,8 +341,6 @@ describe('getSortedObjectsForExport()', () => { "namespace": "foo", "perPage": 500, "search": undefined, - "sortField": "_id", - "sortOrder": "asc", "type": Array [ "index-pattern", "search", @@ -399,6 +393,79 @@ describe('getSortedObjectsForExport()', () => { ).rejects.toThrowErrorMatchingInlineSnapshot(`"Can't export more than 1 objects"`); }); + test('sorts objects within type', async () => { + savedObjectsClient.find.mockResolvedValueOnce({ + total: 3, + per_page: 10000, + page: 1, + saved_objects: [ + { + id: '3', + type: 'index-pattern', + attributes: { + name: 'baz', + }, + references: [], + }, + { + id: '1', + type: 'index-pattern', + attributes: { + name: 'foo', + }, + references: [], + }, + { + id: '2', + type: 'index-pattern', + attributes: { + name: 'bar', + }, + references: [], + }, + ], + }); + const exportStream = await getSortedObjectsForExport({ + exportSizeLimit: 10000, + savedObjectsClient, + types: ['index-pattern'], + }); + const response = await readStreamToCompletion(exportStream); + expect(response).toMatchInlineSnapshot(` + Array [ + Object { + "attributes": Object { + "name": "foo", + }, + "id": "1", + "references": Array [], + "type": "index-pattern", + }, + Object { + "attributes": Object { + "name": "bar", + }, + "id": "2", + "references": Array [], + "type": "index-pattern", + }, + Object { + "attributes": Object { + "name": "baz", + }, + "id": "3", + "references": Array [], + "type": "index-pattern", + }, + Object { + "exportedCount": 3, + "missingRefCount": 0, + "missingReferences": Array [], + }, + ] + `); + }); + test('exports selected objects and sorts them', async () => { savedObjectsClient.bulkGet.mockResolvedValueOnce({ saved_objects: [ diff --git a/src/core/server/saved_objects/export/get_sorted_objects_for_export.ts b/src/core/server/saved_objects/export/get_sorted_objects_for_export.ts index e1a705a36db75..a4dfacfd9e34f 100644 --- a/src/core/server/saved_objects/export/get_sorted_objects_for_export.ts +++ b/src/core/server/saved_objects/export/get_sorted_objects_for_export.ts @@ -19,7 +19,7 @@ import Boom from 'boom'; import { createListStream } from '../../../../legacy/utils/streams'; -import { SavedObjectsClientContract } from '../types'; +import { SavedObjectsClientContract, SavedObject } from '../types'; import { fetchNestedDependencies } from './inject_nested_depdendencies'; import { sortObjects } from './sort_objects'; @@ -105,15 +105,17 @@ async function fetchObjectsToExport({ const findResponse = await savedObjectsClient.find({ type: types, search, - sortField: '_id', - sortOrder: 'asc', perPage: exportSizeLimit, namespace, }); if (findResponse.total > exportSizeLimit) { throw Boom.badRequest(`Can't export more than ${exportSizeLimit} objects`); } - return findResponse.saved_objects; + + // sorts server-side by _id, since it's only available in fielddata + return findResponse.saved_objects.sort((a: SavedObject, b: SavedObject) => + a.id > b.id ? 1 : -1 + ); } else { throw Boom.badRequest('Either `type` or `objects` are required.'); } @@ -137,14 +139,17 @@ export async function getSortedObjectsForExport({ exportSizeLimit, namespace, }); - let exportedObjects = [...rootObjects]; + let exportedObjects = []; let missingReferences: SavedObjectsExportResultDetails['missingReferences'] = []; + if (includeReferencesDeep) { const fetchResult = await fetchNestedDependencies(rootObjects, savedObjectsClient, namespace); - exportedObjects = fetchResult.objects; + exportedObjects = sortObjects(fetchResult.objects); missingReferences = fetchResult.missingRefs; + } else { + exportedObjects = sortObjects(rootObjects); } - exportedObjects = sortObjects(exportedObjects); + const exportDetails: SavedObjectsExportResultDetails = { exportedCount: exportedObjects.length, missingRefCount: missingReferences.length, diff --git a/src/dev/run_check_lockfile_symlinks.js b/src/dev/run_check_lockfile_symlinks.js index c1ba22d3a7a44..e7fd7e8831405 100644 --- a/src/dev/run_check_lockfile_symlinks.js +++ b/src/dev/run_check_lockfile_symlinks.js @@ -17,7 +17,7 @@ * under the License. */ -import { existsSync, lstatSync, readFileSync } from 'fs'; +import { existsSync, lstatSync, readFileSync, readlinkSync } from 'fs'; import globby from 'globby'; import { dirname } from 'path'; @@ -63,6 +63,7 @@ async function checkLockfileSymlinks(log, files) { await checkOnlyLockfileAtProjectRoot(filtered); await checkSuperfluousSymlinks(log, filtered); await checkMissingSymlinks(log, filtered); + await checkIncorrectSymlinks(log, filtered); } async function checkOnlyLockfileAtProjectRoot(files) { @@ -157,8 +158,9 @@ async function checkMissingSymlinks(log, files) { try { const json = JSON.parse(manifest); if (json.dependencies && Object.keys(json.dependencies).length) { + const correctSymlink = getCorrectSymlink(lockfilePath); log.warning( - `Manifest at '${path}' has dependencies, but did not find an adjacent 'yarn.lock' symlink.` + `Manifest at '${path}' has dependencies, but did not find an adjacent 'yarn.lock' symlink to '${correctSymlink}'.` ); errorPaths.push(`${parent}/yarn.lock`); } @@ -177,6 +179,42 @@ async function checkMissingSymlinks(log, files) { } } +async function checkIncorrectSymlinks(log, files) { + const errorPaths = []; + + files + .filter(file => matchesAnyGlob(file.getRelativePath(), LOCKFILE_GLOBS)) + .forEach(file => { + const path = file.getRelativePath(); + const stats = lstatSync(path); + if (!stats.isSymbolicLink()) { + return; + } + + const symlink = readlinkSync(path); + const correctSymlink = getCorrectSymlink(path); + if (symlink !== correctSymlink) { + log.warning( + `Symlink at '${path}' points to '${symlink}', but it should point to '${correctSymlink}'.` + ); + errorPaths.push(path); + } + }); + + if (errorPaths.length) { + throw createFailError( + `These symlinks do NOT point to the 'yarn.lock' file in the project root:\n${listPaths( + errorPaths + )}` + ); + } +} + +function getCorrectSymlink(path) { + const count = path.split('/').length - 1; + return `${'../'.repeat(count)}yarn.lock`; +} + function listPaths(paths) { return paths.map(path => ` - ${path}`).join('\n'); } diff --git a/src/legacy/core_plugins/kibana/public/discover/kibana_services.ts b/src/legacy/core_plugins/kibana/public/discover/kibana_services.ts index 27aa920c98aad..58406c74e9f38 100644 --- a/src/legacy/core_plugins/kibana/public/discover/kibana_services.ts +++ b/src/legacy/core_plugins/kibana/public/discover/kibana_services.ts @@ -62,8 +62,6 @@ export { getRequestInspectorStats, getResponseInspectorStats } from '../../../da export { intervalOptions } from 'ui/agg_types/buckets/_interval_options'; // @ts-ignore export { migrateLegacyQuery } from 'ui/utils/migrate_legacy_query'; -// @ts-ignore -export { RequestAdapter } from 'ui/inspector/adapters'; export { SavedObjectSaveModal } from 'ui/saved_objects/components/saved_object_save_modal'; export { showSaveModal } from 'ui/saved_objects/show_saved_object_save_modal'; export { stateMonitorFactory } from 'ui/state_management/state_monitor_factory'; @@ -92,7 +90,6 @@ export { SortDirection, } from '../../../../../plugins/data/public'; export { ElasticSearchHit } from './np_ready/doc_views/doc_views_types'; -export { Adapters } from 'ui/inspector/types'; export { registerTimefilterWithGlobalStateFactory } from 'ui/timefilter/setup_router'; export { FieldName } from 'ui/directives/field_name/field_name'; export { getFormat } from 'ui/visualize/loader/pipeline_helpers/utilities'; diff --git a/src/legacy/core_plugins/kibana/public/discover/np_ready/angular/discover.js b/src/legacy/core_plugins/kibana/public/discover/np_ready/angular/discover.js index dd782f97b075d..3f3333b7caec2 100644 --- a/src/legacy/core_plugins/kibana/public/discover/np_ready/angular/discover.js +++ b/src/legacy/core_plugins/kibana/public/discover/np_ready/angular/discover.js @@ -25,6 +25,7 @@ import dateMath from '@elastic/datemath'; import { i18n } from '@kbn/i18n'; import '../components/field_chooser/field_chooser'; +import { RequestAdapter } from '../../../../../../../plugins/inspector/public'; // doc table import './doc_table'; import { getSort } from './doc_table/lib/get_sort'; @@ -46,7 +47,6 @@ import { hasSearchStategyForIndexPattern, intervalOptions, migrateLegacyQuery, - RequestAdapter, showSaveModal, unhashUrl, stateMonitorFactory, diff --git a/src/legacy/core_plugins/kibana/public/discover/np_ready/embeddable/search_embeddable.ts b/src/legacy/core_plugins/kibana/public/discover/np_ready/embeddable/search_embeddable.ts index c840f1fbd87ed..f47cf52c756ac 100644 --- a/src/legacy/core_plugins/kibana/public/discover/np_ready/embeddable/search_embeddable.ts +++ b/src/legacy/core_plugins/kibana/public/discover/np_ready/embeddable/search_embeddable.ts @@ -21,6 +21,7 @@ import * as Rx from 'rxjs'; import { Subscription } from 'rxjs'; import { i18n } from '@kbn/i18n'; import { TExecuteTriggerActions } from 'src/plugins/ui_actions/public'; +import { RequestAdapter, Adapters } from '../../../../../../../plugins/inspector/public'; import { esFilters, TimeRange, @@ -43,13 +44,11 @@ import { ISearchEmbeddable, SearchInput, SearchOutput } from './types'; import { SortOrder } from '../angular/doc_table/components/table_header/helpers'; import { getSortForSearchSource } from '../angular/doc_table/lib/get_sort_for_search_source'; import { - Adapters, angular, getRequestInspectorStats, getResponseInspectorStats, getServices, IndexPattern, - RequestAdapter, ISearchSource, } from '../../kibana_services'; import { SEARCH_EMBEDDABLE_TYPE } from './constants'; diff --git a/src/legacy/ui/public/agg_types/agg_type.ts b/src/legacy/ui/public/agg_types/agg_type.ts index f9b48c373e02f..a590a253d8a6c 100644 --- a/src/legacy/ui/public/agg_types/agg_type.ts +++ b/src/legacy/ui/public/agg_types/agg_type.ts @@ -24,7 +24,7 @@ import { initParams } from './agg_params'; import { AggConfig } from '../vis'; import { AggConfigs } from './agg_configs'; -import { Adapters } from '../inspector'; +import { Adapters } from '../../../../plugins/inspector/public'; import { BaseParamType } from './param_types/base'; import { AggParamType } from '../agg_types/param_types/agg'; import { KBN_FIELD_TYPES, fieldFormats, ISearchSource } from '../../../../plugins/data/public'; diff --git a/src/legacy/ui/public/inspector/README.md b/src/legacy/ui/public/inspector/README.md deleted file mode 100644 index c8133d0d9238d..0000000000000 --- a/src/legacy/ui/public/inspector/README.md +++ /dev/null @@ -1,6 +0,0 @@ -# Inspector - -- Inspector has been moved to `inspector` New Platform plugin. -- You can find its documentation in `src/plugins/inspector/README.md`. -- This folder will be deleted soon, it is deprecated, do not use anything from here. -- This folder is ready to be deleted, as soon as nothing imports from here anymore. diff --git a/src/legacy/ui/public/inspector/adapters/index.ts b/src/legacy/ui/public/inspector/adapters/index.ts deleted file mode 100644 index 55df5a33a178b..0000000000000 --- a/src/legacy/ui/public/inspector/adapters/index.ts +++ /dev/null @@ -1,27 +0,0 @@ -/* - * Licensed to Elasticsearch B.V. under one or more contributor - * license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright - * ownership. Elasticsearch B.V. licenses this file to you under - * the Apache License, Version 2.0 (the "License"); you may - * not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -/* eslint-disable */ - -/** - * Do not use this, use NP `inspector` plugin instead. - * - * @deprecated - */ -export * from '../../../../../plugins/inspector/public/adapters/index'; diff --git a/src/legacy/ui/public/inspector/index.ts b/src/legacy/ui/public/inspector/index.ts deleted file mode 100644 index db82508f36ada..0000000000000 --- a/src/legacy/ui/public/inspector/index.ts +++ /dev/null @@ -1,22 +0,0 @@ -/* - * Licensed to Elasticsearch B.V. under one or more contributor - * license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright - * ownership. Elasticsearch B.V. licenses this file to you under - * the Apache License, Version 2.0 (the "License"); you may - * not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -export { Inspector } from './inspector'; -export { viewRegistry } from './view_registry'; -export { Adapters } from './types'; diff --git a/src/legacy/ui/public/inspector/inspector.tsx b/src/legacy/ui/public/inspector/inspector.tsx deleted file mode 100644 index d65245c11cfe1..0000000000000 --- a/src/legacy/ui/public/inspector/inspector.tsx +++ /dev/null @@ -1,42 +0,0 @@ -/* - * Licensed to Elasticsearch B.V. under one or more contributor - * license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright - * ownership. Elasticsearch B.V. licenses this file to you under - * the Apache License, Version 2.0 (the "License"); you may - * not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -import { npStart } from '../new_platform'; -export { InspectorSession } from '../../../../plugins/inspector/public'; - -/** - * @deprecated - * - * Do not use this, use New Platform `inspector` plugin instead. - */ -export const Inspector = { - /** - * @deprecated - * - * Do not use this, use New Platform `inspector` plugin instead. - */ - isAvailable: npStart.plugins.inspector.isAvailable, - - /** - * @deprecated - * - * Do not use this, use New Platform `inspector` plugin instead. - */ - open: npStart.plugins.inspector.open, -}; diff --git a/src/legacy/ui/public/inspector/types.ts b/src/legacy/ui/public/inspector/types.ts deleted file mode 100644 index 98f2cf487eb43..0000000000000 --- a/src/legacy/ui/public/inspector/types.ts +++ /dev/null @@ -1,33 +0,0 @@ -/* - * Licensed to Elasticsearch B.V. under one or more contributor - * license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright - * ownership. Elasticsearch B.V. licenses this file to you under - * the Apache License, Version 2.0 (the "License"); you may - * not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -/** - * Do not import these types from here, instead import them from `inspector` plugin. - * - * ```ts - * import { InspectorViewDescription } from 'src/plugins/inspector/public'; - * ``` - * - * @deprecated - */ -export { - Adapters, - InspectorViewProps, - InspectorViewDescription, -} from '../../../../plugins/inspector/public'; diff --git a/src/legacy/ui/public/inspector/ui/inspector_panel.tsx b/src/legacy/ui/public/inspector/ui/inspector_panel.tsx deleted file mode 100644 index 92ed169bf15e8..0000000000000 --- a/src/legacy/ui/public/inspector/ui/inspector_panel.tsx +++ /dev/null @@ -1,27 +0,0 @@ -/* - * Licensed to Elasticsearch B.V. under one or more contributor - * license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright - * ownership. Elasticsearch B.V. licenses this file to you under - * the Apache License, Version 2.0 (the "License"); you may - * not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -/* eslint-disable */ - -/** - * Do not use this, use NP `inspector` plugin instead. - * - * @deprecated - */ -export * from '../../../../../plugins/inspector/public/ui/inspector_panel'; diff --git a/src/legacy/ui/public/inspector/ui/inspector_view_chooser.tsx b/src/legacy/ui/public/inspector/ui/inspector_view_chooser.tsx deleted file mode 100644 index 017e5c91095f6..0000000000000 --- a/src/legacy/ui/public/inspector/ui/inspector_view_chooser.tsx +++ /dev/null @@ -1,27 +0,0 @@ -/* - * Licensed to Elasticsearch B.V. under one or more contributor - * license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright - * ownership. Elasticsearch B.V. licenses this file to you under - * the Apache License, Version 2.0 (the "License"); you may - * not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -/* eslint-disable */ - -/** - * Do not use this, use NP `inspector` plugin instead. - * - * @deprecated - */ -export * from '../../../../../plugins/inspector/public/ui/inspector_view_chooser'; diff --git a/src/legacy/ui/public/inspector/view_registry.ts b/src/legacy/ui/public/inspector/view_registry.ts deleted file mode 100644 index 5958be66ca184..0000000000000 --- a/src/legacy/ui/public/inspector/view_registry.ts +++ /dev/null @@ -1,34 +0,0 @@ -/* - * Licensed to Elasticsearch B.V. under one or more contributor - * license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright - * ownership. Elasticsearch B.V. licenses this file to you under - * the Apache License, Version 2.0 (the "License"); you may - * not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -import { npSetup } from 'ui/new_platform'; -export { InspectorViewDescription } from './types'; - -/** - * Do not use this, instead use `inspector` plugin directly. - * - * ```ts - * import { npSetup } from 'ui/new_platform'; - * - * npSetup.plugins.inspector.registerView(view); - * ``` - * - * @deprecated - */ -export const viewRegistry = npSetup.plugins.inspector.__LEGACY.views; diff --git a/src/plugins/newsfeed/public/index.ts b/src/plugins/newsfeed/public/index.ts index 1217de60d9638..b70606b09a34f 100644 --- a/src/plugins/newsfeed/public/index.ts +++ b/src/plugins/newsfeed/public/index.ts @@ -18,7 +18,9 @@ */ import { PluginInitializerContext } from 'src/core/public'; -import { NewsfeedPublicPlugin } from './plugin'; +import { Setup, Start, NewsfeedPublicPlugin } from './plugin'; + +export { Setup, Start }; export function plugin(initializerContext: PluginInitializerContext) { return new NewsfeedPublicPlugin(initializerContext); diff --git a/src/plugins/newsfeed/public/plugin.tsx b/src/plugins/newsfeed/public/plugin.tsx index c4e042fe452f9..d21cf75a1a65e 100644 --- a/src/plugins/newsfeed/public/plugin.tsx +++ b/src/plugins/newsfeed/public/plugin.tsx @@ -27,8 +27,8 @@ import { FetchResult, NewsfeedPluginInjectedConfig } from '../types'; import { NewsfeedNavButton, NewsfeedApiFetchResult } from './components/newsfeed_header_nav_button'; import { getApi } from './lib/api'; -export type Setup = void; -export type Start = void; +export type Setup = object; +export type Start = object; export class NewsfeedPublicPlugin implements Plugin { private readonly kibanaVersion: string; @@ -38,7 +38,9 @@ export class NewsfeedPublicPlugin implements Plugin { this.kibanaVersion = initializerContext.env.packageInfo.version; } - public setup(core: CoreSetup): Setup {} + public setup(core: CoreSetup): Setup { + return {}; + } public start(core: CoreStart): Start { const api$ = this.fetchNewsfeed(core); @@ -46,6 +48,8 @@ export class NewsfeedPublicPlugin implements Plugin { order: 1000, mount: target => this.mount(api$, target), }); + + return {}; } public stop() { diff --git a/test/functional/apps/context/_date_nanos_custom_timestamp.js b/test/functional/apps/context/_date_nanos_custom_timestamp.js index 3901fa936e719..046cca0aba8c6 100644 --- a/test/functional/apps/context/_date_nanos_custom_timestamp.js +++ b/test/functional/apps/context/_date_nanos_custom_timestamp.js @@ -28,8 +28,9 @@ export default function({ getService, getPageObjects }) { const docTable = getService('docTable'); const PageObjects = getPageObjects(['common', 'context', 'timePicker', 'discover']); const esArchiver = getService('esArchiver'); - - describe('context view for date_nanos with custom timestamp', () => { + // skipped due to a recent change in ES that caused search_after queries with data containing + // custom timestamp formats like in the testdata to fail + describe.skip('context view for date_nanos with custom timestamp', () => { before(async function() { await esArchiver.loadIfNeeded('date_nanos_custom'); await kibanaServer.uiSettings.replace({ defaultIndex: TEST_INDEX_PATTERN }); diff --git a/x-pack/legacy/plugins/infra/public/components/metrics_explorer/chart.tsx b/x-pack/legacy/plugins/infra/public/components/metrics_explorer/chart.tsx index 6153ebce5e0da..f66ae867eef5a 100644 --- a/x-pack/legacy/plugins/infra/public/components/metrics_explorer/chart.tsx +++ b/x-pack/legacy/plugins/infra/public/components/metrics_explorer/chart.tsx @@ -86,7 +86,7 @@ export const MetricsExplorerChart = ({ - + {title} @@ -159,7 +159,7 @@ export const MetricsExplorerChart = ({ }; const ChartTitle = euiStyled.div` - width: 100% + width: 100%; overflow: hidden; text-overflow: ellipsis; white-space: nowrap; diff --git a/x-pack/legacy/plugins/infra/public/index.scss b/x-pack/legacy/plugins/infra/public/index.scss index 4cef6d6baa915..afee4ab8b0389 100644 --- a/x-pack/legacy/plugins/infra/public/index.scss +++ b/x-pack/legacy/plugins/infra/public/index.scss @@ -36,6 +36,12 @@ .infrastructureChart .echTooltip__label { overflow-x: hidden; - white-space: no-wrap; + white-space: nowrap; text-overflow: ellipsis; } + +.metricsExplorerTitleAnchor { + white-space: nowrap; + text-overflow: ellipsis; + display: inline; +} diff --git a/x-pack/legacy/plugins/lens/public/editor_frame_plugin/embeddable/embeddable.test.tsx b/x-pack/legacy/plugins/lens/public/editor_frame_plugin/embeddable/embeddable.test.tsx index bc61c6ae34ce5..1f0620c43f7f7 100644 --- a/x-pack/legacy/plugins/lens/public/editor_frame_plugin/embeddable/embeddable.test.tsx +++ b/x-pack/legacy/plugins/lens/public/editor_frame_plugin/embeddable/embeddable.test.tsx @@ -9,7 +9,7 @@ import { ExpressionRendererProps } from 'src/plugins/expressions/public'; import { Query, TimeRange, esFilters } from 'src/plugins/data/public'; import { Document } from '../../persistence'; -jest.mock('../../../../../../../src/legacy/ui/public/inspector', () => ({ +jest.mock('../../../../../../../src/plugins/inspector/public/', () => ({ isAvailable: false, open: false, })); diff --git a/x-pack/legacy/plugins/maps/public/angular/map_controller.js b/x-pack/legacy/plugins/maps/public/angular/map_controller.js index ece775f5a7e25..5f058e2ba7806 100644 --- a/x-pack/legacy/plugins/maps/public/angular/map_controller.js +++ b/x-pack/legacy/plugins/maps/public/angular/map_controller.js @@ -43,9 +43,8 @@ import { getLayerListRaw, } from '../selectors/map_selectors'; import { getInspectorAdapters } from '../reducers/non_serializable_instances'; -import { Inspector } from 'ui/inspector'; import { docTitle } from 'ui/doc_title'; -import { indexPatternService } from '../kibana_services'; +import { indexPatternService, getInspector } from '../kibana_services'; import { SavedObjectSaveModal } from 'ui/saved_objects/components/saved_object_save_modal'; import { showSaveModal } from 'ui/saved_objects/show_saved_object_save_modal'; import { toastNotifications } from 'ui/notify'; @@ -510,7 +509,7 @@ app.controller( testId: 'openInspectorButton', run() { const inspectorAdapters = getInspectorAdapters(store.getState()); - Inspector.open(inspectorAdapters, {}); + getInspector().open(inspectorAdapters, {}); }, }, ...(capabilities.get().maps.save diff --git a/x-pack/legacy/plugins/maps/public/inspector/views/register_views.js b/x-pack/legacy/plugins/maps/public/inspector/views/register_views.ts similarity index 72% rename from x-pack/legacy/plugins/maps/public/inspector/views/register_views.js rename to x-pack/legacy/plugins/maps/public/inspector/views/register_views.ts index 6cca73f899cfd..59c0595668300 100644 --- a/x-pack/legacy/plugins/maps/public/inspector/views/register_views.js +++ b/x-pack/legacy/plugins/maps/public/inspector/views/register_views.ts @@ -4,8 +4,9 @@ * you may not use this file except in compliance with the Elastic License. */ -import { MapView } from './map_view'; +import { npSetup } from 'ui/new_platform'; -import { viewRegistry } from 'ui/inspector'; +// @ts-ignore +import { MapView } from './map_view'; -viewRegistry.register(MapView); +npSetup.plugins.inspector.registerView(MapView); diff --git a/x-pack/legacy/plugins/maps/public/kibana_services.js b/x-pack/legacy/plugins/maps/public/kibana_services.js index dadae7a3fdca9..60fda398b4f3e 100644 --- a/x-pack/legacy/plugins/maps/public/kibana_services.js +++ b/x-pack/legacy/plugins/maps/public/kibana_services.js @@ -21,6 +21,12 @@ export const getLicenseId = () => { return licenseId; }; +let inspector; +export const setInspector = newInspector => (inspector = newInspector); +export const getInspector = () => { + return inspector; +}; + export async function fetchSearchSourceAndRecordWithInspector({ searchSource, requestId, diff --git a/x-pack/legacy/plugins/maps/public/plugin.ts b/x-pack/legacy/plugins/maps/public/plugin.ts index 0df7109852486..e5f765a11d219 100644 --- a/x-pack/legacy/plugins/maps/public/plugin.ts +++ b/x-pack/legacy/plugins/maps/public/plugin.ts @@ -10,7 +10,7 @@ import { wrapInI18nContext } from 'ui/i18n'; // @ts-ignore import { MapListing } from './components/map_listing'; // @ts-ignore -import { setLicenseId } from './kibana_services'; +import { setLicenseId, setInspector } from './kibana_services'; /** * These are the interfaces with your public contracts. You should export these @@ -39,5 +39,7 @@ export class MapsPlugin implements Plugin { } } - public start(core: CoreStart, plugins: any) {} + public start(core: CoreStart, plugins: any) { + setInspector(plugins.np.inspector); + } } diff --git a/x-pack/legacy/plugins/maps/public/reducers/non_serializable_instances.js b/x-pack/legacy/plugins/maps/public/reducers/non_serializable_instances.js index 689212b8e5ff0..c7de2beff0cf6 100644 --- a/x-pack/legacy/plugins/maps/public/reducers/non_serializable_instances.js +++ b/x-pack/legacy/plugins/maps/public/reducers/non_serializable_instances.js @@ -5,7 +5,7 @@ */ import chrome from 'ui/chrome'; -import { RequestAdapter } from 'ui/inspector/adapters'; +import { RequestAdapter } from '../../../../../../src/plugins/inspector/public'; import { MapAdapter } from '../inspector/adapters/map_adapter'; const REGISTER_CANCEL_CALLBACK = 'REGISTER_CANCEL_CALLBACK'; diff --git a/x-pack/legacy/plugins/ml/public/application/data_frame_analytics/pages/analytics_exploration/components/exploration/exploration.tsx b/x-pack/legacy/plugins/ml/public/application/data_frame_analytics/pages/analytics_exploration/components/exploration/exploration.tsx index 098f8f07bee44..bd1b60d92403e 100644 --- a/x-pack/legacy/plugins/ml/public/application/data_frame_analytics/pages/analytics_exploration/components/exploration/exploration.tsx +++ b/x-pack/legacy/plugins/ml/public/application/data_frame_analytics/pages/analytics_exploration/components/exploration/exploration.tsx @@ -453,7 +453,7 @@ export const Exploration: FC = React.memo(({ jobId, jobStatus }) => { const MlInMemoryTableBasic = mlInMemoryTableBasicFactory(); return ( - + diff --git a/x-pack/legacy/plugins/ml/public/application/data_frame_analytics/pages/analytics_exploration/components/regression_exploration/evaluate_panel.tsx b/x-pack/legacy/plugins/ml/public/application/data_frame_analytics/pages/analytics_exploration/components/regression_exploration/evaluate_panel.tsx index 30744c1a88d83..fe2676053dde3 100644 --- a/x-pack/legacy/plugins/ml/public/application/data_frame_analytics/pages/analytics_exploration/components/regression_exploration/evaluate_panel.tsx +++ b/x-pack/legacy/plugins/ml/public/application/data_frame_analytics/pages/analytics_exploration/components/regression_exploration/evaluate_panel.tsx @@ -229,7 +229,7 @@ export const EvaluatePanel: FC = ({ jobConfig, jobStatus, searchQuery }) }, [JSON.stringify(searchQuery)]); return ( - + @@ -296,6 +296,7 @@ export const EvaluatePanel: FC = ({ jobConfig, jobStatus, searchQuery }) = ({ jobConfig, jobStatus, searchQuery }) = ({ jobConfig, jobStatus, searchQuery }) = ({ jobConfig, jobStatus, searchQuery }) = ({ isLoading, isMSE, title }) => ( - +export const EvaluateStat: FC = ({ isLoading, isMSE, title, dataTestSubj }) => ( + = React.memo( : searchError; return ( - + @@ -461,6 +461,7 @@ export const ResultsTable: FC = React.memo( {docFields.map(({ name }) => ( field.name === name)} onChange={() => toggleColumn(name)} diff --git a/x-pack/legacy/plugins/ml/public/application/data_frame_analytics/pages/analytics_management/components/analytics_list/actions.tsx b/x-pack/legacy/plugins/ml/public/application/data_frame_analytics/pages/analytics_management/components/analytics_list/actions.tsx index fc3c00cbcf3e3..eb87bfd96c149 100644 --- a/x-pack/legacy/plugins/ml/public/application/data_frame_analytics/pages/analytics_management/components/analytics_list/actions.tsx +++ b/x-pack/legacy/plugins/ml/public/application/data_frame_analytics/pages/analytics_management/components/analytics_list/actions.tsx @@ -47,7 +47,7 @@ export const AnalyticsViewAction = { aria-label={i18n.translate('xpack.ml.dataframe.analyticsList.viewAriaLabel', { defaultMessage: 'View', })} - data-test-sub="mlAnalyticsJobViewButton" + data-test-subj="mlAnalyticsJobViewButton" > {i18n.translate('xpack.ml.dataframe.analyticsList.viewActionName', { defaultMessage: 'View', diff --git a/x-pack/legacy/plugins/ml/public/application/data_frame_analytics/pages/analytics_management/components/analytics_list/columns.tsx b/x-pack/legacy/plugins/ml/public/application/data_frame_analytics/pages/analytics_management/components/analytics_list/columns.tsx index 34f281cec57d3..07ae2c176c363 100644 --- a/x-pack/legacy/plugins/ml/public/application/data_frame_analytics/pages/analytics_management/components/analytics_list/columns.tsx +++ b/x-pack/legacy/plugins/ml/public/application/data_frame_analytics/pages/analytics_management/components/analytics_list/columns.tsx @@ -191,6 +191,7 @@ export const getColumns = ( }), sortable: true, truncateText: true, + 'data-test-subj': 'mlAnalyticsTableColumnJobDescription', }, { field: DataFrameAnalyticsListColumn.configSourceIndex, diff --git a/x-pack/legacy/plugins/monitoring/public/components/elasticsearch/nodes/__tests__/__snapshots__/cells.test.js.snap b/x-pack/legacy/plugins/monitoring/public/components/elasticsearch/nodes/__tests__/__snapshots__/cells.test.js.snap index 789e2a5756b48..c7081dc439085 100644 --- a/x-pack/legacy/plugins/monitoring/public/components/elasticsearch/nodes/__tests__/__snapshots__/cells.test.js.snap +++ b/x-pack/legacy/plugins/monitoring/public/components/elasticsearch/nodes/__tests__/__snapshots__/cells.test.js.snap @@ -28,12 +28,12 @@ exports[`Node Listing Metric Cell should format a non-percentage metric 1`] = `
- 206.5 GB max + 206.5 GB max
- 206.3 GB min + 206.3 GB min
diff --git a/x-pack/legacy/plugins/monitoring/public/components/elasticsearch/nodes/cells.js b/x-pack/legacy/plugins/monitoring/public/components/elasticsearch/nodes/cells.js index fe925b337a31c..c5407864e8f81 100644 --- a/x-pack/legacy/plugins/monitoring/public/components/elasticsearch/nodes/cells.js +++ b/x-pack/legacy/plugins/monitoring/public/components/elasticsearch/nodes/cells.js @@ -21,11 +21,11 @@ const getSlopeArrow = slope => { return null; }; -const metricVal = (metric, format, isPercent) => { +const metricVal = (metric, format, isPercent, units) => { if (isPercent) { return formatMetric(metric, format, '%', { prependSpace: false }); } - return formatMetric(metric, format); + return formatMetric(metric, format, units); }; const noWrapStyle = { overflowX: 'hidden', whiteSpace: 'nowrap' }; @@ -34,6 +34,7 @@ function MetricCell({ isOnline, metric = {}, isPercent, ...props }) { if (isOnline) { const { lastVal, maxVal, minVal, slope } = get(metric, 'summary', {}); const format = get(metric, 'metric.format'); + const units = get(metric, 'metric.units'); return ( @@ -49,7 +50,7 @@ function MetricCell({ isOnline, metric = {}, isPercent, ...props }) { {i18n.translate('xpack.monitoring.elasticsearch.nodes.cells.maxText', { defaultMessage: '{metric} max', values: { - metric: metricVal(maxVal, format, isPercent), + metric: metricVal(maxVal, format, isPercent, units), }, })} @@ -57,7 +58,7 @@ function MetricCell({ isOnline, metric = {}, isPercent, ...props }) { {i18n.translate('xpack.monitoring.elasticsearch.nodes.cells.minText', { defaultMessage: '{metric} min', values: { - metric: metricVal(minVal, format, isPercent), + metric: metricVal(minVal, format, isPercent, units), }, })} diff --git a/x-pack/legacy/plugins/reporting/index.ts b/x-pack/legacy/plugins/reporting/index.ts index 3fb297cb8d82c..d38e19dee2ef2 100644 --- a/x-pack/legacy/plugins/reporting/index.ts +++ b/x-pack/legacy/plugins/reporting/index.ts @@ -4,21 +4,21 @@ * you may not use this file except in compliance with the Elastic License. */ -import { resolve } from 'path'; import { i18n } from '@kbn/i18n'; import { Legacy } from 'kibana'; import { IUiSettingsClient } from 'kibana/server'; +import { resolve } from 'path'; +import { PluginStart as DataPluginStart } from '../../../../src/plugins/data/server'; +import { PluginSetupContract as SecurityPluginSetup } from '../../../plugins/security/server'; import { PLUGIN_ID, UI_SETTINGS_CUSTOM_PDF_LOGO } from './common/constants'; -import { ReportingConfigOptions, ReportingPluginSpecOptions } from './types.d'; import { config as reportingConfig } from './config'; import { LegacySetup, ReportingPlugin, - ReportingSetupDeps, reportingPluginFactory, + ReportingSetupDeps, } from './server/plugin'; - -import { PluginStart as DataPluginStart } from '../../../../src/plugins/data/server'; +import { ReportingConfigOptions, ReportingPluginSpecOptions } from './types.d'; const kbToBase64Length = (kb: number) => { return Math.floor((kb * 1024 * 8) / 6); @@ -75,6 +75,7 @@ export const reporting = (kibana: any) => { async init(server: Legacy.Server) { const coreSetup = server.newPlatform.setup.core; const pluginsSetup: ReportingSetupDeps = { + security: server.newPlatform.setup.plugins.security as SecurityPluginSetup, usageCollection: server.newPlatform.setup.plugins.usageCollection, }; @@ -92,7 +93,6 @@ export const reporting = (kibana: any) => { plugins: { elasticsearch: server.plugins.elasticsearch, xpack_main: server.plugins.xpack_main, - security: server.plugins.security, }, savedObjects: server.savedObjects, fieldFormatServiceFactory, diff --git a/x-pack/legacy/plugins/reporting/server/lib/get_user.ts b/x-pack/legacy/plugins/reporting/server/lib/get_user.ts index 9ee8d9a835c89..350004ddb78f8 100644 --- a/x-pack/legacy/plugins/reporting/server/lib/get_user.ts +++ b/x-pack/legacy/plugins/reporting/server/lib/get_user.ts @@ -5,19 +5,25 @@ */ import { Legacy } from 'kibana'; +import { KibanaRequest } from '../../../../../../src/core/server'; import { Logger, ServerFacade } from '../../types'; +import { ReportingSetupDeps } from '../plugin'; -export function getUserFactory(server: ServerFacade, logger: Logger) { +export function getUserFactory( + server: ServerFacade, + security: ReportingSetupDeps['security'], + logger: Logger +) { /* * Legacy.Request because this is called from routing middleware */ return async (request: Legacy.Request) => { - if (!server.plugins.security) { + if (!security) { return null; } try { - return await server.plugins.security.getUser(request); + return await security.authc.getCurrentUser(KibanaRequest.from(request)); } catch (err) { logger.error(err, ['getUser']); return null; diff --git a/x-pack/legacy/plugins/reporting/server/plugin.ts b/x-pack/legacy/plugins/reporting/server/plugin.ts index 42ef5c3df182e..cf66ec74969ca 100644 --- a/x-pack/legacy/plugins/reporting/server/plugin.ts +++ b/x-pack/legacy/plugins/reporting/server/plugin.ts @@ -7,6 +7,7 @@ import { Legacy } from 'kibana'; import { CoreSetup, CoreStart, Plugin, LoggerFactory } from 'src/core/server'; import { UsageCollectionSetup } from 'src/plugins/usage_collection/server'; +import { PluginSetupContract as SecurityPluginSetup } from '../../../../plugins/security/server'; import { XPackMainPlugin } from '../../xpack_main/server/xpack_main'; // @ts-ignore import { mirrorPluginStatus } from '../../../server/lib/mirror_plugin_status'; @@ -29,6 +30,7 @@ export type ReportingStart = object; export interface ReportingSetupDeps { usageCollection: UsageCollectionSetup; + security: SecurityPluginSetup; } export type ReportingStartDeps = object; @@ -39,7 +41,6 @@ export interface LegacySetup { info: Legacy.Server['info']; plugins: { elasticsearch: LegacyPlugins['elasticsearch']; - security: LegacyPlugins['security']; xpack_main: XPackMainPlugin & { status?: any; }; @@ -105,7 +106,7 @@ export function reportingPluginFactory( isCollectorReady = true; // Reporting routes - registerRoutes(__LEGACY, exportTypesRegistry, browserDriverFactory, logger); + registerRoutes(__LEGACY, plugins, exportTypesRegistry, browserDriverFactory, logger); return {}; } diff --git a/x-pack/legacy/plugins/reporting/server/routes/generate_from_jobparams.ts b/x-pack/legacy/plugins/reporting/server/routes/generate_from_jobparams.ts index d920015c4290c..ed761b1e684ae 100644 --- a/x-pack/legacy/plugins/reporting/server/routes/generate_from_jobparams.ts +++ b/x-pack/legacy/plugins/reporting/server/routes/generate_from_jobparams.ts @@ -4,24 +4,26 @@ * you may not use this file except in compliance with the Elastic License. */ -import { Legacy } from 'kibana'; import boom from 'boom'; import Joi from 'joi'; +import { Legacy } from 'kibana'; import rison from 'rison-node'; import { API_BASE_URL } from '../../common/constants'; -import { ServerFacade, ReportingResponseToolkit, Logger } from '../../types'; +import { Logger, ReportingResponseToolkit, ServerFacade } from '../../types'; +import { ReportingSetupDeps } from '../plugin'; +import { makeRequestFacade } from './lib/make_request_facade'; import { - getRouteConfigFactoryReportingPre, GetRouteConfigFactoryFn, + getRouteConfigFactoryReportingPre, RouteConfigFactory, } from './lib/route_config_factories'; -import { makeRequestFacade } from './lib/make_request_facade'; import { HandlerErrorFunction, HandlerFunction } from './types'; const BASE_GENERATE = `${API_BASE_URL}/generate`; export function registerGenerateFromJobParams( server: ServerFacade, + plugins: ReportingSetupDeps, handler: HandlerFunction, handleError: HandlerErrorFunction, logger: Logger @@ -29,6 +31,7 @@ export function registerGenerateFromJobParams( const getRouteConfig = () => { const getOriginalRouteConfig: GetRouteConfigFactoryFn = getRouteConfigFactoryReportingPre( server, + plugins, logger ); const routeConfigFactory: RouteConfigFactory = getOriginalRouteConfig( diff --git a/x-pack/legacy/plugins/reporting/server/routes/generate_from_savedobject.ts b/x-pack/legacy/plugins/reporting/server/routes/generate_from_savedobject.ts index 0da8e40ea29c0..8696f36a45c62 100644 --- a/x-pack/legacy/plugins/reporting/server/routes/generate_from_savedobject.ts +++ b/x-pack/legacy/plugins/reporting/server/routes/generate_from_savedobject.ts @@ -7,11 +7,12 @@ import { Legacy } from 'kibana'; import { get } from 'lodash'; import { API_BASE_GENERATE_V1, CSV_FROM_SAVEDOBJECT_JOB_TYPE } from '../../common/constants'; -import { ServerFacade, ReportingResponseToolkit, Logger } from '../../types'; -import { HandlerErrorFunction, HandlerFunction, QueuedJobPayload } from './types'; -import { getRouteOptionsCsv } from './lib/route_config_factories'; -import { makeRequestFacade } from './lib/make_request_facade'; import { getJobParamsFromRequest } from '../../export_types/csv_from_savedobject/server/lib/get_job_params_from_request'; +import { Logger, ReportingResponseToolkit, ServerFacade } from '../../types'; +import { ReportingSetupDeps } from '../plugin'; +import { makeRequestFacade } from './lib/make_request_facade'; +import { getRouteOptionsCsv } from './lib/route_config_factories'; +import { HandlerErrorFunction, HandlerFunction, QueuedJobPayload } from './types'; /* * This function registers API Endpoints for queuing Reporting jobs. The API inputs are: @@ -24,11 +25,12 @@ import { getJobParamsFromRequest } from '../../export_types/csv_from_savedobject */ export function registerGenerateCsvFromSavedObject( server: ServerFacade, + plugins: ReportingSetupDeps, handleRoute: HandlerFunction, handleRouteError: HandlerErrorFunction, logger: Logger ) { - const routeOptions = getRouteOptionsCsv(server, logger); + const routeOptions = getRouteOptionsCsv(server, plugins, logger); server.route({ path: `${API_BASE_GENERATE_V1}/csv/saved-object/{savedObjectType}:{savedObjectId}`, diff --git a/x-pack/legacy/plugins/reporting/server/routes/generate_from_savedobject_immediate.ts b/x-pack/legacy/plugins/reporting/server/routes/generate_from_savedobject_immediate.ts index 60799b20ce420..f3ed760bba430 100644 --- a/x-pack/legacy/plugins/reporting/server/routes/generate_from_savedobject_immediate.ts +++ b/x-pack/legacy/plugins/reporting/server/routes/generate_from_savedobject_immediate.ts @@ -7,18 +7,19 @@ import { Legacy } from 'kibana'; import { API_BASE_GENERATE_V1 } from '../../common/constants'; import { createJobFactory, executeJobFactory } from '../../export_types/csv_from_savedobject'; +import { getJobParamsFromRequest } from '../../export_types/csv_from_savedobject/server/lib/get_job_params_from_request'; +import { JobDocPayloadPanelCsv } from '../../export_types/csv_from_savedobject/types'; import { - ServerFacade, - ResponseFacade, HeadlessChromiumDriverFactory, - ReportingResponseToolkit, - Logger, JobDocOutput, + Logger, + ReportingResponseToolkit, + ResponseFacade, + ServerFacade, } from '../../types'; -import { JobDocPayloadPanelCsv } from '../../export_types/csv_from_savedobject/types'; -import { getJobParamsFromRequest } from '../../export_types/csv_from_savedobject/server/lib/get_job_params_from_request'; -import { getRouteOptionsCsv } from './lib/route_config_factories'; +import { ReportingSetupDeps } from '../plugin'; import { makeRequestFacade } from './lib/make_request_facade'; +import { getRouteOptionsCsv } from './lib/route_config_factories'; /* * This function registers API Endpoints for immediate Reporting jobs. The API inputs are: @@ -31,9 +32,10 @@ import { makeRequestFacade } from './lib/make_request_facade'; */ export function registerGenerateCsvFromSavedObjectImmediate( server: ServerFacade, + plugins: ReportingSetupDeps, parentLogger: Logger ) { - const routeOptions = getRouteOptionsCsv(server, parentLogger); + const routeOptions = getRouteOptionsCsv(server, plugins, parentLogger); /* * CSV export with the `immediate` option does not queue a job with Reporting's ESQueue to run the job async. Instead, this does: diff --git a/x-pack/legacy/plugins/reporting/server/routes/generation.ts b/x-pack/legacy/plugins/reporting/server/routes/generation.ts index 2a3102d0dd159..3c9ef6987b2d9 100644 --- a/x-pack/legacy/plugins/reporting/server/routes/generation.ts +++ b/x-pack/legacy/plugins/reporting/server/routes/generation.ts @@ -8,20 +8,22 @@ import boom from 'boom'; import { Legacy } from 'kibana'; import { API_BASE_URL } from '../../common/constants'; import { - ServerFacade, ExportTypesRegistry, HeadlessChromiumDriverFactory, - ReportingResponseToolkit, Logger, + ReportingResponseToolkit, + ServerFacade, } from '../../types'; +import { createQueueFactory, enqueueJobFactory } from '../lib'; +import { ReportingSetupDeps } from '../plugin'; import { registerGenerateFromJobParams } from './generate_from_jobparams'; import { registerGenerateCsvFromSavedObject } from './generate_from_savedobject'; import { registerGenerateCsvFromSavedObjectImmediate } from './generate_from_savedobject_immediate'; -import { createQueueFactory, enqueueJobFactory } from '../lib'; import { makeRequestFacade } from './lib/make_request_facade'; export function registerJobGenerationRoutes( server: ServerFacade, + plugins: ReportingSetupDeps, exportTypesRegistry: ExportTypesRegistry, browserDriverFactory: HeadlessChromiumDriverFactory, logger: Logger @@ -73,11 +75,11 @@ export function registerJobGenerationRoutes( return err; } - registerGenerateFromJobParams(server, handler, handleError, logger); + registerGenerateFromJobParams(server, plugins, handler, handleError, logger); // Register beta panel-action download-related API's if (config.get('xpack.reporting.csv.enablePanelActionDownload')) { - registerGenerateCsvFromSavedObject(server, handler, handleError, logger); - registerGenerateCsvFromSavedObjectImmediate(server, logger); + registerGenerateCsvFromSavedObject(server, plugins, handler, handleError, logger); + registerGenerateCsvFromSavedObjectImmediate(server, plugins, logger); } } diff --git a/x-pack/legacy/plugins/reporting/server/routes/index.ts b/x-pack/legacy/plugins/reporting/server/routes/index.ts index da664dcb91ae4..4cfa9dd465eab 100644 --- a/x-pack/legacy/plugins/reporting/server/routes/index.ts +++ b/x-pack/legacy/plugins/reporting/server/routes/index.ts @@ -5,20 +5,22 @@ */ import { - ServerFacade, ExportTypesRegistry, HeadlessChromiumDriverFactory, Logger, + ServerFacade, } from '../../types'; +import { ReportingSetupDeps } from '../plugin'; import { registerJobGenerationRoutes } from './generation'; import { registerJobInfoRoutes } from './jobs'; export function registerRoutes( server: ServerFacade, + plugins: ReportingSetupDeps, exportTypesRegistry: ExportTypesRegistry, browserDriverFactory: HeadlessChromiumDriverFactory, logger: Logger ) { - registerJobGenerationRoutes(server, exportTypesRegistry, browserDriverFactory, logger); - registerJobInfoRoutes(server, exportTypesRegistry, logger); + registerJobGenerationRoutes(server, plugins, exportTypesRegistry, browserDriverFactory, logger); + registerJobInfoRoutes(server, plugins, exportTypesRegistry, logger); } diff --git a/x-pack/legacy/plugins/reporting/server/routes/jobs.test.js b/x-pack/legacy/plugins/reporting/server/routes/jobs.test.js index a5d75ef32af24..c9d4f9fc027be 100644 --- a/x-pack/legacy/plugins/reporting/server/routes/jobs.test.js +++ b/x-pack/legacy/plugins/reporting/server/routes/jobs.test.js @@ -54,6 +54,10 @@ beforeEach(() => { }; }); +const mockPlugins = { + security: null, +}; + const getHits = (...sources) => { return { hits: { @@ -67,7 +71,7 @@ test(`returns 404 if job not found`, async () => { .getCluster('admin') .callWithInternalUser.mockReturnValue(Promise.resolve(getHits())); - registerJobInfoRoutes(mockServer, exportTypesRegistry, mockLogger); + registerJobInfoRoutes(mockServer, mockPlugins, exportTypesRegistry, mockLogger); const request = { method: 'GET', @@ -84,7 +88,7 @@ test(`returns 401 if not valid job type`, async () => { .getCluster('admin') .callWithInternalUser.mockReturnValue(Promise.resolve(getHits({ jobtype: 'invalidJobType' }))); - registerJobInfoRoutes(mockServer, exportTypesRegistry, mockLogger); + registerJobInfoRoutes(mockServer, mockPlugins, exportTypesRegistry, mockLogger); const request = { method: 'GET', @@ -103,7 +107,7 @@ describe(`when job is incomplete`, () => { Promise.resolve(getHits({ jobtype: 'unencodedJobType', status: 'pending' })) ); - registerJobInfoRoutes(mockServer, exportTypesRegistry, mockLogger); + registerJobInfoRoutes(mockServer, mockPlugins, exportTypesRegistry, mockLogger); const request = { method: 'GET', @@ -145,7 +149,7 @@ describe(`when job is failed`, () => { .getCluster('admin') .callWithInternalUser.mockReturnValue(Promise.resolve(hits)); - registerJobInfoRoutes(mockServer, exportTypesRegistry, mockLogger); + registerJobInfoRoutes(mockServer, mockPlugins, exportTypesRegistry, mockLogger); const request = { method: 'GET', @@ -190,7 +194,7 @@ describe(`when job is completed`, () => { .getCluster('admin') .callWithInternalUser.mockReturnValue(Promise.resolve(hits)); - registerJobInfoRoutes(mockServer, exportTypesRegistry, mockLogger); + registerJobInfoRoutes(mockServer, mockPlugins, exportTypesRegistry, mockLogger); const request = { method: 'GET', diff --git a/x-pack/legacy/plugins/reporting/server/routes/jobs.ts b/x-pack/legacy/plugins/reporting/server/routes/jobs.ts index 049ee0ce20ceb..f9b731db5a702 100644 --- a/x-pack/legacy/plugins/reporting/server/routes/jobs.ts +++ b/x-pack/legacy/plugins/reporting/server/routes/jobs.ts @@ -5,25 +5,26 @@ */ import Boom from 'boom'; -import { Legacy } from 'kibana'; import { ResponseObject } from 'hapi'; +import { Legacy } from 'kibana'; import { API_BASE_URL } from '../../common/constants'; import { - ServerFacade, ExportTypesRegistry, - Logger, - ReportingResponseToolkit, JobDocOutput, JobSource, ListQuery, + Logger, + ReportingResponseToolkit, + ServerFacade, } from '../../types'; import { jobsQueryFactory } from '../lib/jobs_query'; +import { ReportingSetupDeps } from '../plugin'; import { jobResponseHandlerFactory } from './lib/job_response_handler'; +import { makeRequestFacade } from './lib/make_request_facade'; import { getRouteConfigFactoryDownloadPre, getRouteConfigFactoryManagementPre, } from './lib/route_config_factories'; -import { makeRequestFacade } from './lib/make_request_facade'; const MAIN_ENTRY = `${API_BASE_URL}/jobs`; @@ -33,12 +34,13 @@ function isResponse(response: Boom | ResponseObject): response is Response export function registerJobInfoRoutes( server: ServerFacade, + plugins: ReportingSetupDeps, exportTypesRegistry: ExportTypesRegistry, logger: Logger ) { const jobsQuery = jobsQueryFactory(server); - const getRouteConfig = getRouteConfigFactoryManagementPre(server, logger); - const getRouteConfigDownload = getRouteConfigFactoryDownloadPre(server, logger); + const getRouteConfig = getRouteConfigFactoryManagementPre(server, plugins, logger); + const getRouteConfigDownload = getRouteConfigFactoryDownloadPre(server, plugins, logger); // list jobs in the queue, paginated server.route({ diff --git a/x-pack/legacy/plugins/reporting/server/routes/lib/authorized_user_pre_routing.test.js b/x-pack/legacy/plugins/reporting/server/routes/lib/authorized_user_pre_routing.test.js index 841f753f0c09b..3460d22592e3d 100644 --- a/x-pack/legacy/plugins/reporting/server/routes/lib/authorized_user_pre_routing.test.js +++ b/x-pack/legacy/plugins/reporting/server/routes/lib/authorized_user_pre_routing.test.js @@ -4,7 +4,6 @@ * you may not use this file except in compliance with the Elastic License. */ -import expect from '@kbn/expect'; import { authorizedUserPreRoutingFactory } from './authorized_user_pre_routing'; describe('authorized_user_pre_routing', function() { @@ -60,41 +59,88 @@ describe('authorized_user_pre_routing', function() { return mockServer; }; })(); - const getMockLogger = () => ({ warn: jest.fn() }); + + const mockRequestRaw = { + body: {}, + events: {}, + headers: {}, + isSystemRequest: false, + params: {}, + query: {}, + route: { settings: { payload: 'abc' }, options: { authRequired: true, body: {}, tags: [] } }, + withoutSecretHeaders: true, + }; + const getMockRequest = () => ({ + ...mockRequestRaw, + raw: { req: mockRequestRaw }, + }); + + const getMockPlugins = pluginSet => { + return pluginSet || { security: null }; + }; + + const getMockLogger = () => ({ + warn: jest.fn(), + error: msg => { + throw new Error(msg); + }, + }); it('should return with boom notFound when xpackInfo is undefined', async function() { const mockServer = createMockServer({ xpackInfoUndefined: true }); - const authorizedUserPreRouting = authorizedUserPreRoutingFactory(mockServer, getMockLogger()); - const response = await authorizedUserPreRouting({}); - expect(response.isBoom).to.be(true); - expect(response.output.statusCode).to.be(404); + const authorizedUserPreRouting = authorizedUserPreRoutingFactory( + mockServer, + getMockPlugins(), + getMockLogger() + ); + const response = await authorizedUserPreRouting(getMockRequest()); + expect(response.isBoom).toBe(true); + expect(response.output.statusCode).toBe(404); }); it(`should return with boom notFound when xpackInfo isn't available`, async function() { const mockServer = createMockServer({ xpackInfoAvailable: false }); - const authorizedUserPreRouting = authorizedUserPreRoutingFactory(mockServer, getMockLogger()); - const response = await authorizedUserPreRouting(); - expect(response.isBoom).to.be(true); - expect(response.output.statusCode).to.be(404); + const authorizedUserPreRouting = authorizedUserPreRoutingFactory( + mockServer, + getMockPlugins(), + getMockLogger() + ); + const response = await authorizedUserPreRouting(getMockRequest()); + expect(response.isBoom).toBe(true); + expect(response.output.statusCode).toBe(404); }); it('should return with null user when security is disabled in Elasticsearch', async function() { const mockServer = createMockServer({ securityEnabled: false }); - const authorizedUserPreRouting = authorizedUserPreRoutingFactory(mockServer, getMockLogger()); - const response = await authorizedUserPreRouting(); - expect(response).to.be(null); + const authorizedUserPreRouting = authorizedUserPreRoutingFactory( + mockServer, + getMockPlugins(), + getMockLogger() + ); + const response = await authorizedUserPreRouting(getMockRequest()); + expect(response).toBe(null); }); it('should return with boom unauthenticated when security is enabled but no authenticated user', async function() { - const mockServer = createMockServer({ user: null }); + const mockServer = createMockServer({ + user: null, + config: { 'xpack.reporting.roles.allow': ['.reporting_user'] }, + }); + const mockPlugins = getMockPlugins({ + security: { authc: { getCurrentUser: () => null } }, + }); - const authorizedUserPreRouting = authorizedUserPreRoutingFactory(mockServer, getMockLogger()); - const response = await authorizedUserPreRouting(); - expect(response.isBoom).to.be(true); - expect(response.output.statusCode).to.be(401); + const authorizedUserPreRouting = authorizedUserPreRoutingFactory( + mockServer, + mockPlugins, + getMockLogger() + ); + const response = await authorizedUserPreRouting(getMockRequest()); + expect(response.isBoom).toBe(true); + expect(response.output.statusCode).toBe(401); }); it(`should return with boom forbidden when security is enabled but user doesn't have allowed role`, async function() { @@ -102,11 +148,18 @@ describe('authorized_user_pre_routing', function() { user: { roles: [] }, config: { 'xpack.reporting.roles.allow': ['.reporting_user'] }, }); + const mockPlugins = getMockPlugins({ + security: { authc: { getCurrentUser: () => ({ roles: ['something_else'] }) } }, + }); - const authorizedUserPreRouting = authorizedUserPreRoutingFactory(mockServer, getMockLogger()); - const response = await authorizedUserPreRouting(); - expect(response.isBoom).to.be(true); - expect(response.output.statusCode).to.be(403); + const authorizedUserPreRouting = authorizedUserPreRoutingFactory( + mockServer, + mockPlugins, + getMockLogger() + ); + const response = await authorizedUserPreRouting(getMockRequest()); + expect(response.isBoom).toBe(true); + expect(response.output.statusCode).toBe(403); }); it('should return with user when security is enabled and user has explicitly allowed role', async function() { @@ -115,10 +168,19 @@ describe('authorized_user_pre_routing', function() { user, config: { 'xpack.reporting.roles.allow': ['.reporting_user'] }, }); + const mockPlugins = getMockPlugins({ + security: { + authc: { getCurrentUser: () => ({ roles: ['.reporting_user', 'something_else'] }) }, + }, + }); - const authorizedUserPreRouting = authorizedUserPreRoutingFactory(mockServer, getMockLogger()); - const response = await authorizedUserPreRouting(); - expect(response).to.be(user); + const authorizedUserPreRouting = authorizedUserPreRoutingFactory( + mockServer, + mockPlugins, + getMockLogger() + ); + const response = await authorizedUserPreRouting(getMockRequest()); + expect(response).toEqual(user); }); it('should return with user when security is enabled and user has superuser role', async function() { @@ -127,9 +189,16 @@ describe('authorized_user_pre_routing', function() { user, config: { 'xpack.reporting.roles.allow': [] }, }); + const mockPlugins = getMockPlugins({ + security: { authc: { getCurrentUser: () => ({ roles: ['superuser', 'something_else'] }) } }, + }); - const authorizedUserPreRouting = authorizedUserPreRoutingFactory(mockServer, getMockLogger()); - const response = await authorizedUserPreRouting(); - expect(response).to.be(user); + const authorizedUserPreRouting = authorizedUserPreRoutingFactory( + mockServer, + mockPlugins, + getMockLogger() + ); + const response = await authorizedUserPreRouting(getMockRequest()); + expect(response).toEqual(user); }); }); diff --git a/x-pack/legacy/plugins/reporting/server/routes/lib/authorized_user_pre_routing.ts b/x-pack/legacy/plugins/reporting/server/routes/lib/authorized_user_pre_routing.ts index 906f266290a42..874027251570c 100644 --- a/x-pack/legacy/plugins/reporting/server/routes/lib/authorized_user_pre_routing.ts +++ b/x-pack/legacy/plugins/reporting/server/routes/lib/authorized_user_pre_routing.ts @@ -7,8 +7,9 @@ import Boom from 'boom'; import { Legacy } from 'kibana'; import { AuthenticatedUser } from '../../../../../../plugins/security/server'; +import { Logger, ServerFacade } from '../../../types'; import { getUserFactory } from '../../lib/get_user'; -import { ServerFacade, Logger } from '../../../types'; +import { ReportingSetupDeps } from '../../plugin'; const superuserRole = 'superuser'; @@ -18,9 +19,10 @@ export type PreRoutingFunction = ( export const authorizedUserPreRoutingFactory = function authorizedUserPreRoutingFn( server: ServerFacade, + plugins: ReportingSetupDeps, logger: Logger ) { - const getUser = getUserFactory(server, logger); + const getUser = getUserFactory(server, plugins.security, logger); const config = server.config(); return async function authorizedUserPreRouting(request: Legacy.Request) { diff --git a/x-pack/legacy/plugins/reporting/server/routes/lib/get_document_payload.ts b/x-pack/legacy/plugins/reporting/server/routes/lib/get_document_payload.ts index 1c0566100e197..fb3944ea33552 100644 --- a/x-pack/legacy/plugins/reporting/server/routes/lib/get_document_payload.ts +++ b/x-pack/legacy/plugins/reporting/server/routes/lib/get_document_payload.ts @@ -4,17 +4,17 @@ * you may not use this file except in compliance with the Elastic License. */ -import * as _ from 'lodash'; // @ts-ignore import contentDisposition from 'content-disposition'; +import * as _ from 'lodash'; +import { CSV_JOB_TYPE } from '../../../common/constants'; import { - ServerFacade, - ExportTypesRegistry, ExportTypeDefinition, + ExportTypesRegistry, JobDocOutput, JobSource, + ServerFacade, } from '../../../types'; -import { CSV_JOB_TYPE } from '../../../common/constants'; interface ICustomHeaders { [x: string]: any; diff --git a/x-pack/legacy/plugins/reporting/server/routes/lib/reporting_feature_pre_routing.ts b/x-pack/legacy/plugins/reporting/server/routes/lib/reporting_feature_pre_routing.ts index 88c5e4edc12f8..7367fceb50857 100644 --- a/x-pack/legacy/plugins/reporting/server/routes/lib/reporting_feature_pre_routing.ts +++ b/x-pack/legacy/plugins/reporting/server/routes/lib/reporting_feature_pre_routing.ts @@ -7,11 +7,13 @@ import Boom from 'boom'; import { Legacy } from 'kibana'; import { Logger, ServerFacade } from '../../../types'; +import { ReportingSetupDeps } from '../../plugin'; export type GetReportingFeatureIdFn = (request: Legacy.Request) => string; export const reportingFeaturePreRoutingFactory = function reportingFeaturePreRoutingFn( server: ServerFacade, + plugins: ReportingSetupDeps, logger: Logger ) { const xpackMainPlugin = server.plugins.xpack_main; diff --git a/x-pack/legacy/plugins/reporting/server/routes/lib/route_config_factories.ts b/x-pack/legacy/plugins/reporting/server/routes/lib/route_config_factories.ts index 25c08261490d5..931f642397bf8 100644 --- a/x-pack/legacy/plugins/reporting/server/routes/lib/route_config_factories.ts +++ b/x-pack/legacy/plugins/reporting/server/routes/lib/route_config_factories.ts @@ -6,10 +6,13 @@ import Joi from 'joi'; import { CSV_FROM_SAVEDOBJECT_JOB_TYPE } from '../../../common/constants'; -import { ServerFacade, Logger } from '../../../types'; +import { Logger, ServerFacade } from '../../../types'; +import { ReportingSetupDeps } from '../../plugin'; import { authorizedUserPreRoutingFactory } from './authorized_user_pre_routing'; -import { reportingFeaturePreRoutingFactory } from './reporting_feature_pre_routing'; -import { GetReportingFeatureIdFn } from './reporting_feature_pre_routing'; +import { + GetReportingFeatureIdFn, + reportingFeaturePreRoutingFactory, +} from './reporting_feature_pre_routing'; const API_TAG = 'api'; @@ -27,10 +30,11 @@ export type GetRouteConfigFactoryFn = ( export function getRouteConfigFactoryReportingPre( server: ServerFacade, + plugins: ReportingSetupDeps, logger: Logger ): GetRouteConfigFactoryFn { - const authorizedUserPreRouting = authorizedUserPreRoutingFactory(server, logger); - const reportingFeaturePreRouting = reportingFeaturePreRoutingFactory(server, logger); + const authorizedUserPreRouting = authorizedUserPreRoutingFactory(server, plugins, logger); + const reportingFeaturePreRouting = reportingFeaturePreRoutingFactory(server, plugins, logger); return (getFeatureId?: GetReportingFeatureIdFn): RouteConfigFactory => { const preRouting: any[] = [{ method: authorizedUserPreRouting, assign: 'user' }]; @@ -45,8 +49,12 @@ export function getRouteConfigFactoryReportingPre( }; } -export function getRouteOptionsCsv(server: ServerFacade, logger: Logger) { - const getRouteConfig = getRouteConfigFactoryReportingPre(server, logger); +export function getRouteOptionsCsv( + server: ServerFacade, + plugins: ReportingSetupDeps, + logger: Logger +) { + const getRouteConfig = getRouteConfigFactoryReportingPre(server, plugins, logger); return { ...getRouteConfig(() => CSV_FROM_SAVEDOBJECT_JOB_TYPE), validate: { @@ -68,10 +76,11 @@ export function getRouteOptionsCsv(server: ServerFacade, logger: Logger) { export function getRouteConfigFactoryManagementPre( server: ServerFacade, + plugins: ReportingSetupDeps, logger: Logger ): GetRouteConfigFactoryFn { - const authorizedUserPreRouting = authorizedUserPreRoutingFactory(server, logger); - const reportingFeaturePreRouting = reportingFeaturePreRoutingFactory(server, logger); + const authorizedUserPreRouting = authorizedUserPreRoutingFactory(server, plugins, logger); + const reportingFeaturePreRouting = reportingFeaturePreRoutingFactory(server, plugins, logger); const managementPreRouting = reportingFeaturePreRouting(() => 'management'); return (): RouteConfigFactory => { @@ -91,9 +100,10 @@ export function getRouteConfigFactoryManagementPre( // download is loaded into memory. export function getRouteConfigFactoryDownloadPre( server: ServerFacade, + plugins: ReportingSetupDeps, logger: Logger ): GetRouteConfigFactoryFn { - const getManagementRouteConfig = getRouteConfigFactoryManagementPre(server, logger); + const getManagementRouteConfig = getRouteConfigFactoryManagementPre(server, plugins, logger); return (): RouteConfigFactory => ({ ...getManagementRouteConfig(), tags: [API_TAG], diff --git a/x-pack/legacy/plugins/reporting/server/routes/types.d.ts b/x-pack/legacy/plugins/reporting/server/routes/types.d.ts index f3660a22cbac1..28862a765d666 100644 --- a/x-pack/legacy/plugins/reporting/server/routes/types.d.ts +++ b/x-pack/legacy/plugins/reporting/server/routes/types.d.ts @@ -5,7 +5,7 @@ */ import { Legacy } from 'kibana'; -import { RequestFacade, ReportingResponseToolkit, JobDocPayload } from '../../types'; +import { JobDocPayload, ReportingResponseToolkit } from '../../types'; export type HandlerFunction = ( exportType: string, diff --git a/x-pack/legacy/plugins/siem/cypress/integration/smoke_tests/navigation/navigation.spec.ts b/x-pack/legacy/plugins/siem/cypress/integration/smoke_tests/navigation/navigation.spec.ts index a549b5eec2e7c..364864b395d41 100644 --- a/x-pack/legacy/plugins/siem/cypress/integration/smoke_tests/navigation/navigation.spec.ts +++ b/x-pack/legacy/plugins/siem/cypress/integration/smoke_tests/navigation/navigation.spec.ts @@ -4,39 +4,32 @@ * you may not use this file except in compliance with the Elastic License. */ -import { TIMELINES_PAGE } from '../../lib/urls'; -import { - NAVIGATION_HOSTS, - NAVIGATION_NETWORK, - NAVIGATION_OVERVIEW, - NAVIGATION_TIMELINES, -} from '../../lib/navigation/selectors'; -import { loginAndWaitForPage } from '../../lib/util/helpers'; +import { TIMELINES_PAGE } from '../../../urls/navigation'; +import { HOSTS, NETWORK, OVERVIEW, TIMELINES } from '../../../screens/header'; +import { loginAndWaitForPage } from '../../../tasks/login'; +import { navigateFromHeaderTo } from '../../../tasks/header'; describe('top-level navigation common to all pages in the SIEM app', () => { before(() => { loginAndWaitForPage(TIMELINES_PAGE); }); it('navigates to the Overview page', () => { - cy.get(NAVIGATION_OVERVIEW).click({ force: true }); + navigateFromHeaderTo(OVERVIEW); cy.url().should('include', '/siem#/overview'); }); it('navigates to the Hosts page', () => { - cy.get(NAVIGATION_HOSTS).click({ force: true }); - + navigateFromHeaderTo(HOSTS); cy.url().should('include', '/siem#/hosts'); }); it('navigates to the Network page', () => { - cy.get(NAVIGATION_NETWORK).click({ force: true }); - + navigateFromHeaderTo(NETWORK); cy.url().should('include', '/siem#/network'); }); it('navigates to the Timelines page', () => { - cy.get(NAVIGATION_TIMELINES).click({ force: true }); - + navigateFromHeaderTo(TIMELINES); cy.url().should('include', '/siem#/timelines'); }); }); diff --git a/x-pack/legacy/plugins/siem/cypress/screens/header.ts b/x-pack/legacy/plugins/siem/cypress/screens/header.ts index cb018cda8f68d..6e4f5fc0e35cb 100644 --- a/x-pack/legacy/plugins/siem/cypress/screens/header.ts +++ b/x-pack/legacy/plugins/siem/cypress/screens/header.ts @@ -5,3 +5,11 @@ */ export const KQL_INPUT = '[data-test-subj="queryInput"]'; + +export const HOSTS = '[data-test-subj="navigation-hosts"]'; + +export const NETWORK = '[data-test-subj="navigation-network"]'; + +export const OVERVIEW = '[data-test-subj="navigation-overview"]'; + +export const TIMELINES = '[data-test-subj="navigation-timelines"]'; diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/actions.ts b/x-pack/legacy/plugins/siem/cypress/tasks/header.ts similarity index 71% rename from x-pack/plugins/endpoint/public/applications/endpoint/store/actions.ts rename to x-pack/legacy/plugins/siem/cypress/tasks/header.ts index 796dabce1d76a..96412b1eb6a3c 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/store/actions.ts +++ b/x-pack/legacy/plugins/siem/cypress/tasks/header.ts @@ -4,6 +4,6 @@ * you may not use this file except in compliance with the Elastic License. */ -import { EndpointListAction } from './endpoint_list'; - -export type AppAction = EndpointListAction; +export const navigateFromHeaderTo = (page: string) => { + cy.get(page).click({ force: true }); +}; diff --git a/x-pack/legacy/plugins/siem/cypress/urls/navigation.ts b/x-pack/legacy/plugins/siem/cypress/urls/navigation.ts new file mode 100644 index 0000000000000..4675829df839a --- /dev/null +++ b/x-pack/legacy/plugins/siem/cypress/urls/navigation.ts @@ -0,0 +1,7 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +export const TIMELINES_PAGE = '/app/siem#/timelines'; diff --git a/x-pack/legacy/plugins/siem/public/components/alerts_viewer/default_headers.ts b/x-pack/legacy/plugins/siem/public/components/alerts_viewer/default_headers.ts index 936d43fff0b48..af9a5ab765571 100644 --- a/x-pack/legacy/plugins/siem/public/components/alerts_viewer/default_headers.ts +++ b/x-pack/legacy/plugins/siem/public/components/alerts_viewer/default_headers.ts @@ -19,6 +19,7 @@ export const alertsHeaders: ColumnHeader[] = [ columnHeaderType: defaultColumnHeaderType, id: 'event.module', width: DEFAULT_COLUMN_MIN_WIDTH, + linkField: 'rule.reference', }, { columnHeaderType: defaultColumnHeaderType, diff --git a/x-pack/legacy/plugins/siem/public/components/alerts_viewer/index.tsx b/x-pack/legacy/plugins/siem/public/components/alerts_viewer/index.tsx index 2d10928da570a..a8c2f429040ea 100644 --- a/x-pack/legacy/plugins/siem/public/components/alerts_viewer/index.tsx +++ b/x-pack/legacy/plugins/siem/public/components/alerts_viewer/index.tsx @@ -5,7 +5,6 @@ */ import { noop } from 'lodash/fp'; import React, { useEffect, useCallback } from 'react'; -import { EuiSpacer } from '@elastic/eui'; import numeral from '@elastic/numeral'; import { AlertsComponentsQueryProps } from './types'; @@ -79,7 +78,6 @@ export const AlertsView = ({ type={type} updateDateRange={updateDateRange} /> - ); diff --git a/x-pack/legacy/plugins/siem/public/components/embeddables/__snapshots__/index_patterns_missing_prompt.test.tsx.snap b/x-pack/legacy/plugins/siem/public/components/embeddables/__snapshots__/index_patterns_missing_prompt.test.tsx.snap index 2eefdf767dce1..171926b53e5b9 100644 --- a/x-pack/legacy/plugins/siem/public/components/embeddables/__snapshots__/index_patterns_missing_prompt.test.tsx.snap +++ b/x-pack/legacy/plugins/siem/public/components/embeddables/__snapshots__/index_patterns_missing_prompt.test.tsx.snap @@ -16,7 +16,7 @@ exports[`IndexPatternsMissingPrompt renders correctly against snapshot 1`] = `

{ <>

` + display: flex; + flex-direction: column; + ${({ height }) => (height != null ? `height: ${height}px;` : '')} +`; + export const MatrixHistogramComponent: React.FC = ({ + chartHeight, dataKey, defaultStackByOption, endDate, @@ -43,6 +57,7 @@ export const MatrixHistogramComponent: React.FC { const barchartConfigs = getBarchartConfigs({ + chartHeight, from: startDate, legendPosition, to: endDate, @@ -141,48 +157,69 @@ export const MatrixHistogramComponent: React.FC - - {loading && !isInitialLoading && ( - - )} - - {isInitialLoading ? ( - <> - - - - ) : ( - <> - = 0 ? subtitleWithCounts : null)} - > - - - {stackByOptions?.length > 1 && ( - - )} - - {headerChildren} - - - - - )} - - + <> + + + {loading && !isInitialLoading && ( + + )} + + {isInitialLoading ? ( + <> + = 0 ? subtitleWithCounts : null)} + > + + + {stackByOptions?.length > 1 && ( + + )} + + {headerChildren} + + + + + ) : ( + <> + = 0 ? subtitleWithCounts : null)} + > + + + {stackByOptions?.length > 1 && ( + + )} + + {headerChildren} + + + + + )} + + + + ); }; diff --git a/x-pack/legacy/plugins/siem/public/components/matrix_histogram/matrix_loader.tsx b/x-pack/legacy/plugins/siem/public/components/matrix_histogram/matrix_loader.tsx index 769ef170898b0..036526a14f77d 100644 --- a/x-pack/legacy/plugins/siem/public/components/matrix_histogram/matrix_loader.tsx +++ b/x-pack/legacy/plugins/siem/public/components/matrix_histogram/matrix_loader.tsx @@ -9,7 +9,7 @@ import { EuiFlexGroup, EuiFlexItem, EuiLoadingSpinner } from '@elastic/eui'; import styled from 'styled-components'; const StyledEuiFlexGroup = styled(EuiFlexGroup)` - height: 350px; /* to avoid jump when histogram loads */ + flex 1; `; const MatrixLoaderComponent = () => ( diff --git a/x-pack/legacy/plugins/siem/public/components/matrix_histogram/types.ts b/x-pack/legacy/plugins/siem/public/components/matrix_histogram/types.ts index e2b5600d539af..88f8f1ff28fa9 100644 --- a/x-pack/legacy/plugins/siem/public/components/matrix_histogram/types.ts +++ b/x-pack/legacy/plugins/siem/public/components/matrix_histogram/types.ts @@ -31,6 +31,7 @@ export type GetSubTitle = (count: number) => string; export type GetTitle = (matrixHistogramOption: MatrixHistogramOption) => string; export interface MatrixHistogramBasicProps { + chartHeight?: number; defaultIndex: string[]; defaultStackByOption: MatrixHistogramOption; endDate: number; @@ -39,6 +40,7 @@ export interface MatrixHistogramBasicProps { id: string; legendPosition?: Position; mapping?: MatrixHistogramMappingTypes; + panelHeight?: number; setQuery: SetQuery; sourceId: string; startDate: number; diff --git a/x-pack/legacy/plugins/siem/public/components/matrix_histogram/utils.ts b/x-pack/legacy/plugins/siem/public/components/matrix_histogram/utils.ts index 6e932f0c87347..95b1cd806cf6c 100644 --- a/x-pack/legacy/plugins/siem/public/components/matrix_histogram/utils.ts +++ b/x-pack/legacy/plugins/siem/public/components/matrix_histogram/utils.ts @@ -11,6 +11,7 @@ import { MatrixHistogramDataTypes, MatrixHistogramMappingTypes } from './types'; import { histogramDateTimeFormatter } from '../utils'; interface GetBarchartConfigsProps { + chartHeight?: number; from: number; legendPosition?: Position; to: number; @@ -20,7 +21,10 @@ interface GetBarchartConfigsProps { showLegend?: boolean; } +export const DEFAULT_CHART_HEIGHT = 174; + export const getBarchartConfigs = ({ + chartHeight, from, legendPosition, to, @@ -65,7 +69,7 @@ export const getBarchartConfigs = ({ }, }, }, - customHeight: 324, + customHeight: chartHeight ?? DEFAULT_CHART_HEIGHT, }); export const formatToChartDataItem = ([key, value]: [ diff --git a/x-pack/legacy/plugins/siem/public/components/news_feed/index.tsx b/x-pack/legacy/plugins/siem/public/components/news_feed/index.tsx index 95f12758d5e63..6a5e08b287f96 100644 --- a/x-pack/legacy/plugins/siem/public/components/news_feed/index.tsx +++ b/x-pack/legacy/plugins/siem/public/components/news_feed/index.tsx @@ -8,7 +8,7 @@ import React, { useEffect, useState } from 'react'; import chrome from 'ui/chrome'; import { fetchNews, getNewsFeedUrl, getNewsItemsFromApiResponse } from './helpers'; -import { useUiSetting$ } from '../../lib/kibana'; +import { useKibana, useUiSetting$ } from '../../lib/kibana'; import { NewsFeed } from './news_feed'; import { NewsItem } from './types'; @@ -16,10 +16,14 @@ export const StatefulNewsFeed = React.memo<{ enableNewsFeedSetting: string; newsFeedSetting: string; }>(({ enableNewsFeedSetting, newsFeedSetting }) => { + const kibanaNewsfeedEnabled = useKibana().services.newsfeed; const [enableNewsFeed] = useUiSetting$(enableNewsFeedSetting); const [newsFeedUrlSetting] = useUiSetting$(newsFeedSetting); const [news, setNews] = useState(null); + // respect kibana's global newsfeed.enabled setting + const newsfeedEnabled = kibanaNewsfeedEnabled && enableNewsFeed; + const newsFeedUrl = getNewsFeedUrl({ newsFeedUrlSetting, getKibanaVersion: chrome.getKibanaVersion, @@ -42,16 +46,16 @@ export const StatefulNewsFeed = React.memo<{ } }; - if (enableNewsFeed) { + if (newsfeedEnabled) { fetchData(); } return () => { canceled = true; }; - }, [enableNewsFeed, newsFeedUrl]); + }, [newsfeedEnabled, newsFeedUrl]); - return <>{enableNewsFeed ? : null}; + return <>{newsfeedEnabled ? : null}; }); StatefulNewsFeed.displayName = 'StatefulNewsFeed'; diff --git a/x-pack/legacy/plugins/siem/public/components/news_feed/news_feed.tsx b/x-pack/legacy/plugins/siem/public/components/news_feed/news_feed.tsx index d41ce357d9b7b..98eea1eaa6454 100644 --- a/x-pack/legacy/plugins/siem/public/components/news_feed/news_feed.tsx +++ b/x-pack/legacy/plugins/siem/public/components/news_feed/news_feed.tsx @@ -4,39 +4,42 @@ * you may not use this file except in compliance with the Elastic License. */ -import { EuiLoadingSpinner, EuiSpacer } from '@elastic/eui'; +import { EuiSpacer } from '@elastic/eui'; import React from 'react'; -import { NoNews } from './no_news'; +import { LoadingPlaceholders } from '../page/overview/loading_placeholders'; import { NEWS_FEED_TITLE } from '../../pages/overview/translations'; -import { Post } from './post'; import { SidebarHeader } from '../sidebar_header'; + +import { NoNews } from './no_news'; +import { Post } from './post'; import { NewsItem } from './types'; interface Props { news: NewsItem[] | null | undefined; } -export const NewsFeed = React.memo(({ news }) => { - if (news == null) { - return ; - } - - if (news.length === 0) { - return ; - } +const SHOW_PLACEHOLDERS = 5; +const LINES_PER_LOADING_PLACEHOLDER = 4; - return ( - <> - - {news.map((n: NewsItem) => ( +const NewsFeedComponent: React.FC = ({ news }) => ( + <> + + {news == null ? ( + + ) : news.length === 0 ? ( + + ) : ( + news.map((n: NewsItem) => ( - ))} - - ); -}); + )) + )} + +); + +NewsFeedComponent.displayName = 'NewsFeedComponent'; -NewsFeed.displayName = 'NewsFeed'; +export const NewsFeed = React.memo(NewsFeedComponent); diff --git a/x-pack/legacy/plugins/siem/public/components/news_feed/no_news/index.tsx b/x-pack/legacy/plugins/siem/public/components/news_feed/no_news/index.tsx index bd6648025d2aa..c4e0482c6b30a 100644 --- a/x-pack/legacy/plugins/siem/public/components/news_feed/no_news/index.tsx +++ b/x-pack/legacy/plugins/siem/public/components/news_feed/no_news/index.tsx @@ -12,7 +12,7 @@ import * as i18n from '../translations'; export const NoNews = React.memo(() => ( <> - {i18n.NO_NEWS_MESSAGE} + {i18n.NO_NEWS_MESSAGE}{' '} {i18n.ADVANCED_SETTINGS_LINK_TITLE} diff --git a/x-pack/legacy/plugins/siem/public/components/news_feed/translations.ts b/x-pack/legacy/plugins/siem/public/components/news_feed/translations.ts index 71981723cc937..5d3b4171f501e 100644 --- a/x-pack/legacy/plugins/siem/public/components/news_feed/translations.ts +++ b/x-pack/legacy/plugins/siem/public/components/news_feed/translations.ts @@ -8,7 +8,7 @@ import { i18n } from '@kbn/i18n'; export const NO_NEWS_MESSAGE = i18n.translate('xpack.siem.newsFeed.noNewsMessage', { defaultMessage: - 'Your current News feed URL returned no recent news. You may update the URL or disable security news via', + 'Your current news feed URL returned no recent news. You may update the URL or disable security news via', }); export const ADVANCED_SETTINGS_LINK_TITLE = i18n.translate( diff --git a/x-pack/legacy/plugins/siem/public/components/page/add_filter_to_global_search_bar/helpers.ts b/x-pack/legacy/plugins/siem/public/components/page/add_filter_to_global_search_bar/helpers.ts index bd0859bac2d13..6fb53d67c1a6d 100644 --- a/x-pack/legacy/plugins/siem/public/components/page/add_filter_to_global_search_bar/helpers.ts +++ b/x-pack/legacy/plugins/siem/public/components/page/add_filter_to_global_search_bar/helpers.ts @@ -4,8 +4,14 @@ * you may not use this file except in compliance with the Elastic License. */ -export const createFilter = (key: string, value: string | null | undefined) => - value != null +import { esFilters } from '../../../../../../../../src/plugins/data/public'; + +export const createFilter = ( + key: string, + value: string[] | string | null | undefined +): esFilters.Filter => { + const queryValue = value != null ? (Array.isArray(value) ? value[0] : value) : null; + return queryValue != null ? { meta: { alias: null, @@ -13,21 +19,21 @@ export const createFilter = (key: string, value: string | null | undefined) => disabled: false, type: 'phrase', key, - value, + value: queryValue, params: { - query: value, + query: queryValue, }, }, query: { match: { [key]: { - query: value, + query: queryValue, type: 'phrase', }, }, }, } - : { + : ({ exists: { field: key, }, @@ -39,4 +45,5 @@ export const createFilter = (key: string, value: string | null | undefined) => type: 'exists', value: 'exists', }, - }; + } as esFilters.Filter); +}; diff --git a/x-pack/legacy/plugins/siem/public/components/page/overview/loading_placeholders/index.tsx b/x-pack/legacy/plugins/siem/public/components/page/overview/loading_placeholders/index.tsx new file mode 100644 index 0000000000000..1dcc6b75f32e5 --- /dev/null +++ b/x-pack/legacy/plugins/siem/public/components/page/overview/loading_placeholders/index.tsx @@ -0,0 +1,26 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { EuiLoadingContent, EuiSpacer } from '@elastic/eui'; +import React from 'react'; + +const LoadingPlaceholdersComponent: React.FC<{ + lines: 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10; + placeholders: number; +}> = ({ lines, placeholders }) => ( + <> + {[...Array(placeholders).keys()].map((_, i) => ( + + + {i !== placeholders - 1 && } + + ))} + +); + +LoadingPlaceholdersComponent.displayName = 'LoadingPlaceholdersComponent'; + +export const LoadingPlaceholders = React.memo(LoadingPlaceholdersComponent); diff --git a/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host/index.test.tsx b/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host/index.test.tsx new file mode 100644 index 0000000000000..568cf032fb01c --- /dev/null +++ b/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host/index.test.tsx @@ -0,0 +1,144 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { cloneDeep } from 'lodash/fp'; +import { mount } from 'enzyme'; +import React from 'react'; + +import { apolloClientObservable, mockGlobalState, TestProviders } from '../../../../mock'; + +import { OverviewHost } from '.'; +import { createStore, State } from '../../../../store'; +import { overviewHostQuery } from '../../../../containers/overview/overview_host/index.gql_query'; +import { GetOverviewHostQuery } from '../../../../graphql/types'; +import { MockedProvider } from 'react-apollo/test-utils'; +import { wait } from '../../../../lib/helpers'; + +jest.mock('../../../../lib/kibana'); + +const startDate = 1579553397080; +const endDate = 1579639797080; + +interface MockedProvidedQuery { + request: { + query: GetOverviewHostQuery.Query; + fetchPolicy: string; + variables: GetOverviewHostQuery.Variables; + }; + result: { + data: { + source: unknown; + }; + }; +} + +const mockOpenTimelineQueryResults: MockedProvidedQuery[] = [ + { + request: { + query: overviewHostQuery, + fetchPolicy: 'cache-and-network', + variables: { + sourceId: 'default', + timerange: { interval: '12h', from: startDate, to: endDate }, + filterQuery: undefined, + defaultIndex: [ + 'apm-*-transaction*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'packetbeat-*', + 'winlogbeat-*', + ], + inspect: false, + }, + }, + result: { + data: { + source: { + id: 'default', + OverviewHost: { + auditbeatAuditd: 1, + auditbeatFIM: 1, + auditbeatLogin: 1, + auditbeatPackage: 1, + auditbeatProcess: 1, + auditbeatUser: 1, + endgameDns: 1, + endgameFile: 1, + endgameImageLoad: 1, + endgameNetwork: 1, + endgameProcess: 1, + endgameRegistry: 1, + endgameSecurity: 1, + filebeatSystemModule: 1, + winlogbeatSecurity: 1, + winlogbeatMWSysmonOperational: 1, + }, + }, + }, + }, + }, +]; + +describe('OverviewHost', () => { + const state: State = mockGlobalState; + + let store = createStore(state, apolloClientObservable); + + beforeEach(() => { + const myState = cloneDeep(state); + store = createStore(myState, apolloClientObservable); + }); + + test('it renders the expected widget title', () => { + const wrapper = mount( + + + + ); + + expect( + wrapper + .find('[data-test-subj="header-section-title"]') + .first() + .text() + ).toEqual('Host events'); + }); + + test('it renders an empty subtitle while loading', () => { + const wrapper = mount( + + + + ); + + expect( + wrapper + .find('[data-test-subj="header-panel-subtitle"]') + .first() + .text() + ).toEqual(''); + }); + + test('it renders the expected event count in the subtitle after loading events', async () => { + const wrapper = mount( + + + + + + ); + await wait(); + wrapper.update(); + + expect( + wrapper + .find('[data-test-subj="header-panel-subtitle"]') + .first() + .text() + ).toEqual('Showing: 16 events'); + }); +}); diff --git a/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host/index.tsx b/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host/index.tsx index 31d8467025f96..3868885fa29ee 100644 --- a/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host/index.tsx +++ b/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host/index.tsx @@ -4,6 +4,7 @@ * you may not use this file except in compliance with the Elastic License. */ +import { isEmpty } from 'lodash/fp'; import { EuiButton, EuiFlexItem, EuiPanel } from '@elastic/eui'; import numeral from '@elastic/numeral'; import { FormattedMessage } from '@kbn/i18n/react'; @@ -41,7 +42,7 @@ export interface OwnProps { } const OverviewHostStatsManage = manageQuery(OverviewHostStats); -type OverviewHostProps = OwnProps; +export type OverviewHostProps = OwnProps; const OverviewHostComponent: React.FC = ({ endDate, @@ -56,6 +57,7 @@ const OverviewHostComponent: React.FC = ({ = ({ return ( <> + !isEmpty(overviewHost) ? ( + + ) : ( + <>{''} + ) } title={ + - - - + - - - - - - - - - - - - - + + + + + + - - - - - - - - - - - + + + - - - - - - - - - - - - - + + + + + + - - - - - - - - - - - + + + - - - - - - - + + + + + + + + + + - - - - - + + + + + + + + + + + - - - - - - - + + + + + + + + + + - - - + + + + + + + + + + + + - - - + - - - - - - - - - - - - - + + + + + + - - - - - - - - - - - + + + - - - - - - - - - - - - - + + + + + + - - - - - - - - - - - + + + - - - - - - - - - - - - + + + + + + + + + + - - - - - - - + + + + + + + + + + - - - - - + + + + + + + + + + + - - - - - - - + + + + + + + + + + - - - + + + + + + + + + + + + - - - + - - - - - - - - - - + + + + + + + + + + + - - - + - - - - - - - - - - - - - + + + + + + - - - - - - + + + - - - + + + + + + + + + + + + `; diff --git a/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host_stats/index.tsx b/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host_stats/index.tsx index 7dca259ca3db4..b811a3615b148 100644 --- a/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host_stats/index.tsx +++ b/x-pack/legacy/plugins/siem/public/components/page/overview/overview_host_stats/index.tsx @@ -6,7 +6,7 @@ import { EuiAccordion, EuiFlexGroup, EuiFlexItem, EuiHorizontalRule, EuiText } from '@elastic/eui'; import { FormattedMessage } from '@kbn/i18n/react'; -import React, { useMemo } from 'react'; +import React from 'react'; import styled from 'styled-components'; import { OverviewHostData } from '../../../../graphql/types'; @@ -203,7 +203,11 @@ const Title = styled.div` margin-left: 24px; `; -export const OverviewHostStats = React.memo(({ data, loading }) => { +const AccordionContent = styled.div` + margin-top: 8px; +`; + +const OverviewHostStatsComponent: React.FC = ({ data, loading }) => { const allHostStats = getOverviewHostStats(data); const allHostStatsCount = allHostStats.reduce((total, stat) => total + stat.count, 0); @@ -213,56 +217,55 @@ export const OverviewHostStats = React.memo(({ data, loading const statsForGroup = allHostStats.filter(s => statGroup.statIds.includes(s.id)); const statsForGroupCount = statsForGroup.reduce((total, stat) => total + stat.count, 0); - const accordionButton = useMemo( - () => ( - - - {statGroup.name} - - - - - - ), - [statGroup, statsForGroupCount, loading, allHostStatsCount] - ); - return ( + - {statsForGroup.map(stat => ( - + buttonContent={ + - - {stat.title} - + {statGroup.name} - + - ))} + } + buttonContentClassName="accordion-button" + > + + {statsForGroup.map(stat => ( + + + + {stat.title} + + + + + + + ))} + - {i !== hostStatGroups.length - 1 && } ); })} ); -}); +}; + +OverviewHostStatsComponent.displayName = 'OverviewHostStatsComponent'; -OverviewHostStats.displayName = 'OverviewHostStats'; +export const OverviewHostStats = React.memo(OverviewHostStatsComponent); diff --git a/x-pack/legacy/plugins/siem/public/components/page/overview/overview_network/index.test.tsx b/x-pack/legacy/plugins/siem/public/components/page/overview/overview_network/index.test.tsx new file mode 100644 index 0000000000000..151bb444cfe75 --- /dev/null +++ b/x-pack/legacy/plugins/siem/public/components/page/overview/overview_network/index.test.tsx @@ -0,0 +1,137 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { cloneDeep } from 'lodash/fp'; +import { mount } from 'enzyme'; +import React from 'react'; + +import { apolloClientObservable, mockGlobalState, TestProviders } from '../../../../mock'; + +import { OverviewNetwork } from '.'; +import { createStore, State } from '../../../../store'; +import { overviewNetworkQuery } from '../../../../containers/overview/overview_network/index.gql_query'; +import { GetOverviewHostQuery } from '../../../../graphql/types'; +import { MockedProvider } from 'react-apollo/test-utils'; +import { wait } from '../../../../lib/helpers'; + +jest.mock('../../../../lib/kibana'); + +const startDate = 1579553397080; +const endDate = 1579639797080; + +interface MockedProvidedQuery { + request: { + query: GetOverviewHostQuery.Query; + fetchPolicy: string; + variables: GetOverviewHostQuery.Variables; + }; + result: { + data: { + source: unknown; + }; + }; +} + +const mockOpenTimelineQueryResults: MockedProvidedQuery[] = [ + { + request: { + query: overviewNetworkQuery, + fetchPolicy: 'cache-and-network', + variables: { + sourceId: 'default', + timerange: { interval: '12h', from: startDate, to: endDate }, + filterQuery: undefined, + defaultIndex: [ + 'apm-*-transaction*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'packetbeat-*', + 'winlogbeat-*', + ], + inspect: false, + }, + }, + result: { + data: { + source: { + id: 'default', + OverviewNetwork: { + auditbeatSocket: 1, + filebeatCisco: 1, + filebeatNetflow: 1, + filebeatPanw: 1, + filebeatSuricata: 1, + filebeatZeek: 1, + packetbeatDNS: 1, + packetbeatFlow: 1, + packetbeatTLS: 1, + }, + }, + }, + }, + }, +]; + +describe('OverviewNetwork', () => { + const state: State = mockGlobalState; + + let store = createStore(state, apolloClientObservable); + + beforeEach(() => { + const myState = cloneDeep(state); + store = createStore(myState, apolloClientObservable); + }); + + test('it renders the expected widget title', () => { + const wrapper = mount( + + + + ); + + expect( + wrapper + .find('[data-test-subj="header-section-title"]') + .first() + .text() + ).toEqual('Network events'); + }); + + test('it renders an empty subtitle while loading', () => { + const wrapper = mount( + + + + ); + + expect( + wrapper + .find('[data-test-subj="header-panel-subtitle"]') + .first() + .text() + ).toEqual(''); + }); + + test('it renders the expected event count in the subtitle after loading events', async () => { + const wrapper = mount( + + + + + + ); + await wait(); + wrapper.update(); + + expect( + wrapper + .find('[data-test-subj="header-panel-subtitle"]') + .first() + .text() + ).toEqual('Showing: 9 events'); + }); +}); diff --git a/x-pack/legacy/plugins/siem/public/components/page/overview/overview_network/index.tsx b/x-pack/legacy/plugins/siem/public/components/page/overview/overview_network/index.tsx index 36af58c4879a7..100abd997ee6b 100644 --- a/x-pack/legacy/plugins/siem/public/components/page/overview/overview_network/index.tsx +++ b/x-pack/legacy/plugins/siem/public/components/page/overview/overview_network/index.tsx @@ -4,6 +4,7 @@ * you may not use this file except in compliance with the Elastic License. */ +import { isEmpty } from 'lodash/fp'; import { EuiButton, EuiFlexItem, EuiPanel } from '@elastic/eui'; import numeral from '@elastic/numeral'; import { FormattedMessage } from '@kbn/i18n/react'; @@ -23,7 +24,7 @@ import { getOverviewNetworkStats, OverviewNetworkStats } from '../overview_netwo import { getNetworkUrl } from '../../../link_to'; import { InspectButtonContainer } from '../../../inspect'; -export interface OwnProps { +export interface OverviewNetworkProps { startDate: number; endDate: number; filterQuery?: ESQuery | string; @@ -42,35 +43,40 @@ export interface OwnProps { const OverviewNetworkStatsManage = manageQuery(OverviewNetworkStats); -export const OverviewNetwork = React.memo( - ({ endDate, filterQuery, startDate, setQuery }) => { - const [defaultNumberFormat] = useUiSetting$(DEFAULT_NUMBER_FORMAT); +const OverviewNetworkComponent: React.FC = ({ + endDate, + filterQuery, + startDate, + setQuery, +}) => { + const [defaultNumberFormat] = useUiSetting$(DEFAULT_NUMBER_FORMAT); - return ( - - - - - {({ overviewNetwork, loading, id, inspect, refetch }) => { - const networkEventsCount = getOverviewNetworkStats(overviewNetwork).reduce( - (total, stat) => total + stat.count, - 0 - ); - const formattedNetworkEventsCount = numeral(networkEventsCount).format( - defaultNumberFormat - ); + return ( + + + + + {({ overviewNetwork, loading, id, inspect, refetch }) => { + const networkEventsCount = getOverviewNetworkStats(overviewNetwork).reduce( + (total, stat) => total + stat.count, + 0 + ); + const formattedNetworkEventsCount = numeral(networkEventsCount).format( + defaultNumberFormat + ); - return ( - <> - + ( networkEventsCount, }} /> - } - title={ - - } - > - - - - + ) : ( + <>{''} + ) + } + title={ + + } + > + + + + + + + + ); + }} + + + + + ); +}; - - - ); - }} - - - - - ); - } -); +OverviewNetworkComponent.displayName = 'OverviewNetworkComponent'; -OverviewNetwork.displayName = 'OverviewNetwork'; +export const OverviewNetwork = React.memo(OverviewNetworkComponent); diff --git a/x-pack/legacy/plugins/siem/public/components/page/overview/overview_network_stats/__snapshots__/index.test.tsx.snap b/x-pack/legacy/plugins/siem/public/components/page/overview/overview_network_stats/__snapshots__/index.test.tsx.snap index 4544c05f7b180..fb59ba382f489 100644 --- a/x-pack/legacy/plugins/siem/public/components/page/overview/overview_network_stats/__snapshots__/index.test.tsx.snap +++ b/x-pack/legacy/plugins/siem/public/components/page/overview/overview_network_stats/__snapshots__/index.test.tsx.snap @@ -4,6 +4,9 @@ exports[`Overview Network Stat Data rendering it renders the default OverviewNet + - - - + - - - - - - - - - - + + + + + + + + + + + - - - + - - - - - - - - - - - - - + + + + + + - - - - - - - - - - - + + + - - - - - - - - - - - - - + + + + + + - - - - - - + + + - - - - - + + + + + + + + + + + - - - - - - - + + + + + + + + + + - - - + + + + + + + + + + + + - - - + - - - - - - - - - - - - - + + + + + + - - - - - - - - - - - + + + - - - - - - - + + + + + + + + + + - - - + + + + + + + + + + + + `; diff --git a/x-pack/legacy/plugins/siem/public/components/page/overview/overview_network_stats/index.tsx b/x-pack/legacy/plugins/siem/public/components/page/overview/overview_network_stats/index.tsx index 123f7f21a75fd..260b1d6895140 100644 --- a/x-pack/legacy/plugins/siem/public/components/page/overview/overview_network_stats/index.tsx +++ b/x-pack/legacy/plugins/siem/public/components/page/overview/overview_network_stats/index.tsx @@ -6,7 +6,7 @@ import { EuiAccordion, EuiFlexGroup, EuiFlexItem, EuiHorizontalRule, EuiText } from '@elastic/eui'; import { FormattedMessage } from '@kbn/i18n/react'; -import React, { useMemo } from 'react'; +import React from 'react'; import styled from 'styled-components'; import { OverviewNetworkData } from '../../../../graphql/types'; @@ -126,6 +126,10 @@ const Title = styled.div` margin-left: 24px; `; +const AccordionContent = styled.div` + margin-top: 8px; +`; + export const OverviewNetworkStats = React.memo(({ data, loading }) => { const allNetworkStats = getOverviewNetworkStats(data); const allNetworkStatsCount = allNetworkStats.reduce((total, stat) => total + stat.count, 0); @@ -136,54 +140,51 @@ export const OverviewNetworkStats = React.memo(({ data, lo const statsForGroup = allNetworkStats.filter(s => statGroup.statIds.includes(s.id)); const statsForGroupCount = statsForGroup.reduce((total, stat) => total + stat.count, 0); - const accordionButton = useMemo( - () => ( - - - {statGroup.name} - - - - - - ), - [statGroup, statsForGroupCount, loading, allNetworkStatsCount] - ); - return ( + - {statsForGroup.map(stat => ( - + buttonContent={ + - - {stat.title} - + {statGroup.name} - + - ))} + } + buttonContentClassName="accordion-button" + > + + {statsForGroup.map(stat => ( + + + + {stat.title} + + + + + + + ))} + - {i !== networkStatGroups.length - 1 && } ); })} diff --git a/x-pack/legacy/plugins/siem/public/components/page/overview/stat_value.tsx b/x-pack/legacy/plugins/siem/public/components/page/overview/stat_value.tsx index 5a496ba78eb6c..7615001eec9da 100644 --- a/x-pack/legacy/plugins/siem/public/components/page/overview/stat_value.tsx +++ b/x-pack/legacy/plugins/siem/public/components/page/overview/stat_value.tsx @@ -4,51 +4,67 @@ * you may not use this file except in compliance with the Elastic License. */ -import { EuiFlexGroup, EuiFlexItem, EuiLoadingSpinner, EuiProgress, EuiText } from '@elastic/eui'; +import { EuiFlexGroup, EuiFlexItem, EuiLoadingContent, EuiProgress, EuiText } from '@elastic/eui'; import numeral from '@elastic/numeral'; -import React from 'react'; +import React, { useEffect, useState } from 'react'; import styled from 'styled-components'; import { DEFAULT_NUMBER_FORMAT } from '../../../../common/constants'; import { useUiSetting$ } from '../../../lib/kibana'; const ProgressContainer = styled.div` - width: 100px; + margin-left: 8px; + min-width: 100px; `; -export const StatValue = React.memo<{ +const LoadingContent = styled(EuiLoadingContent)` + .euiLoadingContent__singleLine { + margin-bottom: 0px; + } +`; + +const StatValueComponent: React.FC<{ count: number; - isLoading: boolean; isGroupStat: boolean; + isLoading: boolean; max: number; -}>(({ count, isGroupStat, isLoading, max }) => { +}> = ({ count, isGroupStat, isLoading, max }) => { const [defaultNumberFormat] = useUiSetting$(DEFAULT_NUMBER_FORMAT); + const [isInitialLoading, setIsInitialLoading] = useState(true); + + useEffect(() => { + if (isInitialLoading && !isLoading) { + setIsInitialLoading(false); + } + }, [isLoading, isInitialLoading, setIsInitialLoading]); return ( - <> - {isLoading ? ( - - ) : ( - - - - {numeral(count).format(defaultNumberFormat)} - - - - - - - - - )} - + + + {!isInitialLoading && ( + + {numeral(count).format(defaultNumberFormat)} + + )} + + + + {isLoading ? ( + + ) : ( + + )} + + + ); -}); +}; + +StatValueComponent.displayName = 'StatValueComponent'; -StatValue.displayName = 'StatValue'; +export const StatValue = React.memo(StatValueComponent); diff --git a/x-pack/legacy/plugins/siem/public/components/recent_timelines/counts/index.tsx b/x-pack/legacy/plugins/siem/public/components/recent_timelines/counts/index.tsx index 42ac3c19ff792..e04b6319cfb24 100644 --- a/x-pack/legacy/plugins/siem/public/components/recent_timelines/counts/index.tsx +++ b/x-pack/legacy/plugins/siem/public/components/recent_timelines/counts/index.tsx @@ -45,14 +45,14 @@ export const RecentTimelineCounts = React.memo<{ timeline: OpenTimelineResult; }>(({ timeline }) => { return ( - <> +

- +
); }); diff --git a/x-pack/legacy/plugins/siem/public/components/recent_timelines/header/index.tsx b/x-pack/legacy/plugins/siem/public/components/recent_timelines/header/index.tsx index 886a2345248a2..89c7ae6f1eed9 100644 --- a/x-pack/legacy/plugins/siem/public/components/recent_timelines/header/index.tsx +++ b/x-pack/legacy/plugins/siem/public/components/recent_timelines/header/index.tsx @@ -4,62 +4,26 @@ * you may not use this file except in compliance with the Elastic License. */ -import { - EuiFlexGroup, - EuiFlexItem, - EuiText, - EuiLink, - EuiToolTip, - EuiButtonIcon, -} from '@elastic/eui'; -import React from 'react'; +import { EuiText, EuiLink } from '@elastic/eui'; +import React, { useCallback } from 'react'; import { isUntitled } from '../../open_timeline/helpers'; import { OnOpenTimeline, OpenTimelineResult } from '../../open_timeline/types'; - import * as i18n from '../translations'; -export interface MeApiResponse { - username: string; -} - export const RecentTimelineHeader = React.memo<{ onOpenTimeline: OnOpenTimeline; timeline: OpenTimelineResult; -}>(({ onOpenTimeline, timeline }) => { - const { title, savedObjectId } = timeline; +}>(({ onOpenTimeline, timeline, timeline: { title, savedObjectId } }) => { + const onClick = useCallback( + () => onOpenTimeline({ duplicate: false, timelineId: `${savedObjectId}` }), + [onOpenTimeline, savedObjectId] + ); return ( - - - - onOpenTimeline({ duplicate: false, timelineId: `${savedObjectId}` })} - > - {isUntitled(timeline) ? i18n.UNTITLED_TIMELINE : title} - - - - - - - - onOpenTimeline({ - duplicate: true, - timelineId: `${savedObjectId}`, - }) - } - size="s" - /> - - - + + {isUntitled(timeline) ? i18n.UNTITLED_TIMELINE : title} + ); }); diff --git a/x-pack/legacy/plugins/siem/public/components/recent_timelines/index.tsx b/x-pack/legacy/plugins/siem/public/components/recent_timelines/index.tsx index f1e22d1901d47..d5157e81b0fc8 100644 --- a/x-pack/legacy/plugins/siem/public/components/recent_timelines/index.tsx +++ b/x-pack/legacy/plugins/siem/public/components/recent_timelines/index.tsx @@ -5,23 +5,22 @@ */ import ApolloClient from 'apollo-client'; -import { EuiHorizontalRule, EuiLink, EuiLoadingSpinner, EuiText } from '@elastic/eui'; -import React, { useCallback, useEffect, useMemo, useState } from 'react'; +import { EuiHorizontalRule, EuiLink, EuiText } from '@elastic/eui'; +import React, { useCallback } from 'react'; import { connect } from 'react-redux'; import { Dispatch } from 'redux'; import { ActionCreator } from 'typescript-fsa'; -import chrome from 'ui/chrome'; import { AllTimelinesQuery } from '../../containers/timeline/all'; import { SortFieldTimeline, Direction } from '../../graphql/types'; -import { fetchUsername, getMeApiUrl } from './helpers'; import { queryTimelineById, dispatchUpdateTimeline } from '../open_timeline/helpers'; import { DispatchUpdateTimeline, OnOpenTimeline } from '../open_timeline/types'; -import { RecentTimelines } from './recent_timelines'; +import { LoadingPlaceholders } from '../page/overview/loading_placeholders'; import { updateIsLoading as dispatchUpdateIsLoading } from '../../store/timeline/actions'; -import { FilterMode } from './types'; +import { RecentTimelines } from './recent_timelines'; import * as i18n from './translations'; +import { FilterMode } from './types'; export interface MeApiResponse { username: string; @@ -42,8 +41,6 @@ export type Props = OwnProps & DispatchProps; const StatefulRecentTimelinesComponent = React.memo( ({ apolloClient, filterBy, updateIsLoading, updateTimeline }) => { const actionDispatcher = updateIsLoading as ActionCreator<{ id: string; isLoading: boolean }>; - const [username, setUsername] = useState(undefined); - const LoadingSpinner = useMemo(() => , []); const onOpenTimeline: OnOpenTimeline = useCallback( ({ duplicate, timelineId }: { duplicate: boolean; timelineId: string }) => { queryTimelineById({ @@ -57,38 +54,6 @@ const StatefulRecentTimelinesComponent = React.memo( [apolloClient, updateIsLoading, updateTimeline] ); - useEffect(() => { - let canceled = false; - - const fetchData = async () => { - try { - const loggedInUser = await fetchUsername(getMeApiUrl(chrome.getBasePath)); - - if (!canceled) { - setUsername(loggedInUser); - } - } catch (e) { - if (!canceled) { - setUsername(null); - } - } - }; - - fetchData(); - - return () => { - canceled = true; - }; - }, []); - - if (username === undefined) { - return LoadingSpinner; - } else if (username == null) { - return null; - } - - // TODO: why does `createdBy: ` specified as a `search` query does not match results? - const noTimelinesMessage = filterBy === 'favorites' ? i18n.NO_FAVORITE_TIMELINES : i18n.NO_TIMELINES; @@ -108,7 +73,7 @@ const StatefulRecentTimelinesComponent = React.memo( {({ timelines, loading }) => ( <> {loading ? ( - <>{LoadingSpinner} + ) : ( {timelines.map((t, i) => ( -
- - - {t.description && t.description.length && ( - <> - - - {t.description} - - - )} - {i !== timelines.length - 1 && } -
+ + ( + + + + + {t.description && t.description.length && ( + <> + + + {t.description} + + + )} + + + {showHoverContent && ( + + + + onOpenTimeline({ + duplicate: true, + timelineId: `${t.savedObjectId}`, + }) + } + size="s" + /> + + + )} + + )} + /> + <>{i !== timelines.length - 1 && } + ))} ); diff --git a/x-pack/legacy/plugins/siem/public/components/timeline/body/renderers/constants.tsx b/x-pack/legacy/plugins/siem/public/components/timeline/body/renderers/constants.tsx index 0330fb458e364..e8074c2f6f381 100644 --- a/x-pack/legacy/plugins/siem/public/components/timeline/body/renderers/constants.tsx +++ b/x-pack/legacy/plugins/siem/public/components/timeline/body/renderers/constants.tsx @@ -8,4 +8,6 @@ export const DATE_FIELD_TYPE = 'date'; export const HOST_NAME_FIELD_NAME = 'host.name'; export const IP_FIELD_TYPE = 'ip'; export const MESSAGE_FIELD_NAME = 'message'; +export const EVENT_MODULE_FIELD_NAME = 'event.module'; +export const RULE_REFERENCE_FIELD_NAME = 'rule.reference'; export const SIGNAL_RULE_NAME_FIELD_NAME = 'signal.rule.name'; diff --git a/x-pack/legacy/plugins/siem/public/components/timeline/body/renderers/formatted_field.tsx b/x-pack/legacy/plugins/siem/public/components/timeline/body/renderers/formatted_field.tsx index 010a328d2993d..0f650d6386194 100644 --- a/x-pack/legacy/plugins/siem/public/components/timeline/body/renderers/formatted_field.tsx +++ b/x-pack/legacy/plugins/siem/public/components/timeline/body/renderers/formatted_field.tsx @@ -4,7 +4,7 @@ * you may not use this file except in compliance with the Elastic License. */ -import { EuiFlexGroup, EuiFlexItem, EuiToolTip, EuiLink } from '@elastic/eui'; +import { EuiFlexGroup, EuiFlexItem, EuiToolTip } from '@elastic/eui'; import { isNumber, isString, isEmpty } from 'lodash/fp'; import React from 'react'; @@ -15,7 +15,7 @@ import { getOrEmptyTagFromValue, getEmptyTagValue } from '../../../empty_value'; import { FormattedDate } from '../../../formatted_date'; import { FormattedIp } from '../../../formatted_ip'; import { HostDetailsLink } from '../../../links'; -import { getRuleDetailsUrl } from '../../../link_to/redirect_to_detection_engine'; + import { Port, PORT_NAMES } from '../../../port'; import { TruncatableText } from '../../../truncatable_text'; import { @@ -23,8 +23,11 @@ import { HOST_NAME_FIELD_NAME, IP_FIELD_TYPE, MESSAGE_FIELD_NAME, + EVENT_MODULE_FIELD_NAME, + RULE_REFERENCE_FIELD_NAME, SIGNAL_RULE_NAME_FIELD_NAME, } from './constants'; +import { renderRuleName, renderEventModule, renderRulReference } from './formatted_field_helpers'; // simple black-list to prevent dragging and dropping fields such as message name const columnNamesNotDraggable = [MESSAGE_FIELD_NAME]; @@ -88,6 +91,12 @@ const FormattedFieldValueComponent: React.FC<{ return ( ); + } else if (fieldName === SIGNAL_RULE_NAME_FIELD_NAME) { + return renderRuleName({ contextId, eventId, fieldName, linkValue, truncate, value }); + } else if (fieldName === EVENT_MODULE_FIELD_NAME) { + return renderEventModule({ contextId, eventId, fieldName, linkValue, truncate, value }); + } else if (fieldName === RULE_REFERENCE_FIELD_NAME) { + return renderRulReference({ contextId, eventId, fieldName, linkValue, truncate, value }); } else if (columnNamesNotDraggable.includes(fieldName)) { return truncate && !isEmpty(value) ? ( @@ -110,24 +119,6 @@ const FormattedFieldValueComponent: React.FC<{ ) : ( <>{value} ); - } else if (fieldName === SIGNAL_RULE_NAME_FIELD_NAME) { - const ruleName = `${value}`; - const ruleId = linkValue; - - return isString(value) && ruleName.length > 0 && ruleId != null ? ( - - - {value} - - - ) : ( - getEmptyTagValue() - ); } else { const contentValue = getOrEmptyTagFromValue(value); const content = truncate ? {contentValue} : contentValue; diff --git a/x-pack/legacy/plugins/siem/public/components/timeline/body/renderers/formatted_field_helpers.tsx b/x-pack/legacy/plugins/siem/public/components/timeline/body/renderers/formatted_field_helpers.tsx new file mode 100644 index 0000000000000..b48cc546fe78c --- /dev/null +++ b/x-pack/legacy/plugins/siem/public/components/timeline/body/renderers/formatted_field_helpers.tsx @@ -0,0 +1,159 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { EuiLink, EuiFlexGroup, EuiFlexItem, EuiIcon, EuiToolTip } from '@elastic/eui'; +import { isString, isEmpty } from 'lodash/fp'; +import React from 'react'; + +import { DefaultDraggable } from '../../../draggables'; +import { getEmptyTagValue } from '../../../empty_value'; +import { getRuleDetailsUrl } from '../../../link_to/redirect_to_detection_engine'; +import { TruncatableText } from '../../../truncatable_text'; + +import { isUrlInvalid } from '../../../../pages/detection_engine/rules/components/step_about_rule/helpers'; +import endPointSvg from '../../../../utils/logo_endpoint/64_color.svg'; + +import * as i18n from './translations'; + +export const renderRuleName = ({ + contextId, + eventId, + fieldName, + linkValue, + truncate, + value, +}: { + contextId: string; + eventId: string; + fieldName: string; + linkValue: string | null | undefined; + truncate?: boolean; + value: string | number | null | undefined; +}) => { + const ruleName = `${value}`; + const ruleId = linkValue; + + const content = truncate ? {value} : value; + + return isString(value) && ruleName.length > 0 && ruleId != null ? ( + + {content} + + ) : ( + getEmptyTagValue() + ); +}; + +const canYouAddEndpointLogo = (moduleName: string, endpointUrl: string | null | undefined) => + moduleName.trim().toLocaleLowerCase() === 'endgame' && + endpointUrl != null && + !isEmpty(endpointUrl) && + !isUrlInvalid(endpointUrl) && + endpointUrl.includes('/alerts/'); + +export const renderEventModule = ({ + contextId, + eventId, + fieldName, + linkValue, + truncate, + value, +}: { + contextId: string; + eventId: string; + fieldName: string; + linkValue: string | null | undefined; + truncate?: boolean; + value: string | number | null | undefined; +}) => { + const moduleName = `${value}`; + const endpointRefUrl = linkValue; + + const content = truncate ? {value} : value; + + return isString(value) && moduleName.length > 0 ? ( + + + + {content} + + + {endpointRefUrl != null && canYouAddEndpointLogo(moduleName, endpointRefUrl) && ( + + +

{i18n.LINK_ELASTIC_ENDPOINT_SECURITY}

+

{endpointRefUrl}

+ + } + > + + + + + + )} + + ) : ( + getEmptyTagValue() + ); +}; + +export const renderRulReference = ({ + contextId, + eventId, + fieldName, + linkValue, + truncate, + value, +}: { + contextId: string; + eventId: string; + fieldName: string; + linkValue: string | null | undefined; + truncate?: boolean; + value: string | number | null | undefined; +}) => { + const referenceUrlName = `${value}`; + + const content = truncate ? {value} : value; + + return isString(value) && referenceUrlName.length > 0 ? ( + + {!isUrlInvalid(referenceUrlName) && ( + + {content} + + )} + {isUrlInvalid(referenceUrlName) && <>{content}} + + ) : ( + getEmptyTagValue() + ); +}; diff --git a/x-pack/legacy/plugins/siem/public/components/timeline/body/renderers/translations.ts b/x-pack/legacy/plugins/siem/public/components/timeline/body/renderers/translations.ts index 2c3c3efdb2993..5bdeccbd0f4ba 100644 --- a/x-pack/legacy/plugins/siem/public/components/timeline/body/renderers/translations.ts +++ b/x-pack/legacy/plugins/siem/public/components/timeline/body/renderers/translations.ts @@ -29,3 +29,10 @@ export const IN = i18n.translate('xpack.siem.auditd.inDescription', { export const NON_EXISTENT = i18n.translate('xpack.siem.auditd.nonExistentDescription', { defaultMessage: 'an unknown process', }); + +export const LINK_ELASTIC_ENDPOINT_SECURITY = i18n.translate( + 'xpack.siem.event.module.linkToElasticEndpointSecurityDescription', + { + defaultMessage: 'Open in Elastic Endpoint Security', + } +); diff --git a/x-pack/legacy/plugins/siem/public/components/timeline/footer/index.test.tsx b/x-pack/legacy/plugins/siem/public/components/timeline/footer/index.test.tsx index b6ca4fe125c69..cbad2d42cf8af 100644 --- a/x-pack/legacy/plugins/siem/public/components/timeline/footer/index.test.tsx +++ b/x-pack/legacy/plugins/siem/public/components/timeline/footer/index.test.tsx @@ -121,7 +121,7 @@ describe('Footer Timeline Component', () => { .find('[data-test-subj="TimelineMoreButton"]') .dive() .text(); - expect(loadButton).toContain('Load More'); + expect(loadButton).toContain('Load more'); }); test('it does NOT render the loadMore button because there is nothing else to fetch', () => { diff --git a/x-pack/legacy/plugins/siem/public/components/timeline/footer/translations.ts b/x-pack/legacy/plugins/siem/public/components/timeline/footer/translations.ts index 886866ce1b0c2..814311d4e14de 100644 --- a/x-pack/legacy/plugins/siem/public/components/timeline/footer/translations.ts +++ b/x-pack/legacy/plugins/siem/public/components/timeline/footer/translations.ts @@ -27,7 +27,7 @@ export const LOADING = i18n.translate('xpack.siem.footer.loadingLabel', { }); export const LOAD_MORE = i18n.translate('xpack.siem.footer.loadMoreLabel', { - defaultMessage: 'Load More', + defaultMessage: 'Load more', }); export const TOTAL_COUNT_OF_EVENTS = i18n.translate('xpack.siem.footer.totalCountOfEvents', { diff --git a/x-pack/legacy/plugins/siem/public/containers/anomalies/anomalies_query_tab_body/index.tsx b/x-pack/legacy/plugins/siem/public/containers/anomalies/anomalies_query_tab_body/index.tsx index 2d9ac8b7645ca..e34832aa88c93 100644 --- a/x-pack/legacy/plugins/siem/public/containers/anomalies/anomalies_query_tab_body/index.tsx +++ b/x-pack/legacy/plugins/siem/public/containers/anomalies/anomalies_query_tab_body/index.tsx @@ -5,7 +5,6 @@ */ import React, { useEffect } from 'react'; -import { EuiSpacer } from '@elastic/eui'; import * as i18n from './translations'; import { AnomaliesQueryTabBodyProps } from './types'; import { getAnomaliesFilterQuery } from './utils'; @@ -80,7 +79,6 @@ export const AnomaliesQueryTabBody = ({ type={type} updateDateRange={updateDateRange} /> - ( useEffect(() => { let isSubscribed = true; const abortCtrl = new AbortController(); - setLoading(true); async function fetchData() { try { + setLoading(true); const signalResponse = await fetchQuerySignals({ query, signal: abortCtrl.signal, diff --git a/x-pack/legacy/plugins/siem/public/containers/matrix_histogram/index.tsx b/x-pack/legacy/plugins/siem/public/containers/matrix_histogram/index.tsx index d5fd325bb9a26..9e0b1579a7b65 100644 --- a/x-pack/legacy/plugins/siem/public/containers/matrix_histogram/index.tsx +++ b/x-pack/legacy/plugins/siem/public/containers/matrix_histogram/index.tsx @@ -24,6 +24,7 @@ import { UpdateDateRange } from '../../components/charts/common'; import { SetQuery } from '../../pages/hosts/navigation/types'; export interface OwnProps extends QueryTemplateProps { + chartHeight?: number; dataKey: string | string[]; defaultStackByOption: MatrixHistogramOption; errorMessage: string; @@ -37,6 +38,7 @@ export interface OwnProps extends QueryTemplateProps { isEventsHistogram?: boolean; legendPosition?: Position; mapping?: MatrixHistogramMappingTypes; + panelHeight?: number; query: Maybe; setQuery: SetQuery; showLegend?: boolean; diff --git a/x-pack/legacy/plugins/siem/public/containers/overview/overview_host/index.tsx b/x-pack/legacy/plugins/siem/public/containers/overview/overview_host/index.tsx index 36cadd7872cc8..8c40c4044a746 100644 --- a/x-pack/legacy/plugins/siem/public/containers/overview/overview_host/index.tsx +++ b/x-pack/legacy/plugins/siem/public/containers/overview/overview_host/index.tsx @@ -41,34 +41,36 @@ export interface OverviewHostProps extends QueryTemplateProps { } const OverviewHostComponentQuery = React.memo( - ({ id = ID, children, filterQuery, isInspected, sourceId, startDate, endDate }) => ( - - query={overviewHostQuery} - fetchPolicy={getDefaultFetchPolicy()} - variables={{ - sourceId, - timerange: { - interval: '12h', - from: startDate, - to: endDate, - }, - filterQuery: createFilter(filterQuery), - defaultIndex: useUiSetting(DEFAULT_INDEX_KEY), - inspect: isInspected, - }} - > - {({ data, loading, refetch }) => { - const overviewHost = getOr({}, `source.OverviewHost`, data); - return children({ - id, - inspect: getOr(null, 'source.OverviewHost.inspect', data), - overviewHost, - loading, - refetch, - }); - }} - - ) + ({ id = ID, children, filterQuery, isInspected, sourceId, startDate, endDate }) => { + return ( + + query={overviewHostQuery} + fetchPolicy={getDefaultFetchPolicy()} + variables={{ + sourceId, + timerange: { + interval: '12h', + from: startDate, + to: endDate, + }, + filterQuery: createFilter(filterQuery), + defaultIndex: useUiSetting(DEFAULT_INDEX_KEY), + inspect: isInspected, + }} + > + {({ data, loading, refetch }) => { + const overviewHost = getOr({}, `source.OverviewHost`, data); + return children({ + id, + inspect: getOr(null, 'source.OverviewHost.inspect', data), + overviewHost, + loading, + refetch, + }); + }} + + ); + } ); OverviewHostComponentQuery.displayName = 'OverviewHostComponentQuery'; diff --git a/x-pack/legacy/plugins/siem/public/containers/timeline/index.gql_query.ts b/x-pack/legacy/plugins/siem/public/containers/timeline/index.gql_query.ts index 9bd580f832230..c54238c5d8687 100644 --- a/x-pack/legacy/plugins/siem/public/containers/timeline/index.gql_query.ts +++ b/x-pack/legacy/plugins/siem/public/containers/timeline/index.gql_query.ts @@ -134,6 +134,9 @@ export const timelineQuery = gql` name ip } + rule { + reference + } source { bytes ip diff --git a/x-pack/legacy/plugins/siem/public/graphql/introspection.json b/x-pack/legacy/plugins/siem/public/graphql/introspection.json index a9247403bf22c..b356b67b75c7b 100644 --- a/x-pack/legacy/plugins/siem/public/graphql/introspection.json +++ b/x-pack/legacy/plugins/siem/public/graphql/introspection.json @@ -3985,6 +3985,14 @@ "isDeprecated": false, "deprecationReason": null }, + { + "name": "rule", + "description": "", + "args": [], + "type": { "kind": "OBJECT", "name": "RuleEcsField", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null + }, { "name": "signal", "description": "", @@ -4743,6 +4751,25 @@ "enumValues": null, "possibleTypes": null }, + { + "kind": "OBJECT", + "name": "RuleEcsField", + "description": "", + "fields": [ + { + "name": "reference", + "description": "", + "args": [], + "type": { "kind": "SCALAR", "name": "ToStringArray", "ofType": null }, + "isDeprecated": false, + "deprecationReason": null + } + ], + "inputFields": null, + "interfaces": [], + "enumValues": null, + "possibleTypes": null + }, { "kind": "OBJECT", "name": "SignalField", diff --git a/x-pack/legacy/plugins/siem/public/graphql/types.ts b/x-pack/legacy/plugins/siem/public/graphql/types.ts index 6a24ffcc13020..0103713a8c8a2 100644 --- a/x-pack/legacy/plugins/siem/public/graphql/types.ts +++ b/x-pack/legacy/plugins/siem/public/graphql/types.ts @@ -791,6 +791,8 @@ export interface Ecs { network?: Maybe; + rule?: Maybe; + signal?: Maybe; source?: Maybe; @@ -970,6 +972,10 @@ export interface NetworkEcsField { transport?: Maybe; } +export interface RuleEcsField { + reference?: Maybe; +} + export interface SignalField { rule?: Maybe; @@ -4456,6 +4462,8 @@ export namespace GetTimelineQuery { host: Maybe; + rule: Maybe; + source: Maybe<_Source>; destination: Maybe; @@ -4671,6 +4679,12 @@ export namespace GetTimelineQuery { ip: Maybe; }; + export type Rule = { + __typename?: 'RuleEcsField'; + + reference: Maybe; + }; + export type _Source = { __typename?: 'SourceEcsFields'; @@ -4792,10 +4806,10 @@ export namespace GetTimelineQuery { original_time: Maybe; - rule: Maybe; + rule: Maybe<_Rule>; }; - export type Rule = { + export type _Rule = { __typename?: 'RuleField'; id: Maybe; diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/components/signals/default_config.tsx b/x-pack/legacy/plugins/siem/public/pages/detection_engine/components/signals/default_config.tsx index f5d138a3afcb8..6cf515050a39f 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/components/signals/default_config.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/components/signals/default_config.tsx @@ -86,6 +86,11 @@ export const buildSignalsRuleIdFilter = (ruleId: string): esFilters.Filter[] => ]; export const signalsHeaders: ColumnHeader[] = [ + { + columnHeaderType: defaultColumnHeaderType, + id: '@timestamp', + width: DEFAULT_DATE_COLUMN_MIN_WIDTH, + }, { columnHeaderType: defaultColumnHeaderType, id: 'signal.rule.name', @@ -109,13 +114,19 @@ export const signalsHeaders: ColumnHeader[] = [ columnHeaderType: defaultColumnHeaderType, id: 'signal.rule.severity', label: i18n.SIGNALS_HEADERS_SEVERITY, - width: 100, + width: 105, }, { columnHeaderType: defaultColumnHeaderType, id: 'signal.rule.risk_score', label: i18n.SIGNALS_HEADERS_RISK_SCORE, - width: 120, + width: 115, + }, + { + columnHeaderType: defaultColumnHeaderType, + id: 'event.module', + linkField: 'rule.reference', + width: DEFAULT_COLUMN_MIN_WIDTH, }, { category: 'event', @@ -150,11 +161,6 @@ export const signalsHeaders: ColumnHeader[] = [ id: 'destination.ip', width: 140, }, - { - columnHeaderType: defaultColumnHeaderType, - id: '@timestamp', - width: DEFAULT_DATE_COLUMN_MIN_WIDTH, - }, ]; export const signalsDefaultModel: SubsetTimelineModel = { diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/components/signals_histogram_panel/index.tsx b/x-pack/legacy/plugins/siem/public/pages/detection_engine/components/signals_histogram_panel/index.tsx index 2cdafe38a7434..29aaa951ff71a 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/components/signals_histogram_panel/index.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/components/signals_histogram_panel/index.tsx @@ -4,7 +4,7 @@ * you may not use this file except in compliance with the Elastic License. */ import { Position } from '@elastic/charts'; -import { EuiButton, EuiSelect, EuiPanel } from '@elastic/eui'; +import { EuiButton, EuiFlexGroup, EuiFlexItem, EuiSelect, EuiPanel } from '@elastic/eui'; import numeral from '@elastic/numeral'; import React, { memo, useCallback, useMemo, useState, useEffect } from 'react'; import styled from 'styled-components'; @@ -12,8 +12,6 @@ import { isEmpty } from 'lodash/fp'; import { HeaderSection } from '../../../../components/header_section'; import { SignalsHistogram } from './signals_histogram'; - -import * as i18n from './translations'; import { Query } from '../../../../../../../../../src/plugins/data/common/query'; import { esFilters, esQuery } from '../../../../../../../../../src/plugins/data/common/es_query'; import { RegisterQuery, SignalsHistogramOption, SignalsAggregation, SignalsTotal } from './types'; @@ -26,8 +24,14 @@ import { useQuerySignals } from '../../../../containers/detection_engine/signals import { MatrixLoader } from '../../../../components/matrix_histogram/matrix_loader'; import { formatSignalsData, getSignalsHistogramQuery } from './helpers'; +import * as i18n from './translations'; + +const DEFAULT_PANEL_HEIGHT = 300; -const StyledEuiPanel = styled(EuiPanel)` +const StyledEuiPanel = styled(EuiPanel)<{ height?: number }>` + display: flex; + flex-direction: column; + ${({ height }) => (height != null ? `height: ${height}px;` : '')} position: relative; `; @@ -38,7 +42,12 @@ const defaultTotalSignalsObj: SignalsTotal = { export const DETECTIONS_HISTOGRAM_ID = 'detections-histogram'; +const ViewSignalsFlexItem = styled(EuiFlexItem)` + margin-left: 24px; +`; + interface SignalsHistogramPanelProps { + chartHeight?: number; defaultStackByOption?: SignalsHistogramOption; deleteQuery?: ({ id }: { id: string }) => void; filters?: esFilters.Filter[]; @@ -46,6 +55,7 @@ interface SignalsHistogramPanelProps { query?: Query; legendPosition?: Position; loadingInitial?: boolean; + panelHeight?: number; signalIndexName: string | null; setQuery: (params: RegisterQuery) => void; showLinkToSignals?: boolean; @@ -58,6 +68,7 @@ interface SignalsHistogramPanelProps { export const SignalsHistogramPanel = memo( ({ + chartHeight, defaultStackByOption = signalsHistogramOptions[0], deleteQuery, filters, @@ -65,6 +76,7 @@ export const SignalsHistogramPanel = memo( from, legendPosition = 'right', loadingInitial = false, + panelHeight = DEFAULT_PANEL_HEIGHT, setQuery, signalIndexName, showLinkToSignals = false, @@ -171,7 +183,7 @@ export const SignalsHistogramPanel = memo( return ( - + {isInitialLoading ? ( <> @@ -184,26 +196,33 @@ export const SignalsHistogramPanel = memo( title={title} subtitle={showTotalSignalsCount && totalSignals} > - {stackByOptions && ( - - )} - {showLinkToSignals && ( - {i18n.VIEW_SIGNALS} - )} + + + {stackByOptions && ( + + )} + + {showLinkToSignals && ( + + {i18n.VIEW_SIGNALS} + + )} + )} diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/components/signals_histogram_panel/signals_histogram.tsx b/x-pack/legacy/plugins/siem/public/pages/detection_engine/components/signals_histogram_panel/signals_histogram.tsx index 9d2af1e78f285..92f6740e4d767 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/components/signals_histogram_panel/signals_histogram.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/components/signals_histogram_panel/signals_histogram.tsx @@ -19,7 +19,10 @@ import { useTheme } from '../../../../components/charts/common'; import { histogramDateTimeFormatter } from '../../../../components/utils'; import { HistogramData } from './types'; +const DEFAULT_CHART_HEIGHT = 174; + interface HistogramSignalsProps { + chartHeight?: number; from: number; legendPosition?: Position; loading: boolean; @@ -29,7 +32,15 @@ interface HistogramSignalsProps { } export const SignalsHistogram = React.memo( - ({ to, from, legendPosition = 'right', data, updateDateRange, loading }) => { + ({ + chartHeight = DEFAULT_CHART_HEIGHT, + data, + from, + legendPosition = 'right', + loading, + to, + updateDateRange, + }) => { const theme = useTheme(); return ( @@ -43,7 +54,7 @@ export const SignalsHistogram = React.memo( /> )} - + from={from} loadingInitial={loading} query={query} - signalIndexName={signalIndexName} setQuery={setQuery} + showTotalSignalsCount={true} + signalIndexName={signalIndexName} stackByOptions={signalsHistogramOptions} to={to} updateDateRange={updateDateRangeCallback} @@ -203,7 +204,6 @@ const DetectionEnginePageComponent: React.FC setQuery={setQuery} to={to} /> - )} diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/description_step/index.test.tsx b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/description_step/index.test.tsx new file mode 100644 index 0000000000000..fab689f7d821f --- /dev/null +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/description_step/index.test.tsx @@ -0,0 +1,185 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { addFilterStateIfNotThere } from './'; + +import { esFilters } from '../../../../../../../../../../src/plugins/data/public'; + +describe('description_step', () => { + describe('addFilterStateIfNotThere', () => { + test('it does not change the state if it is global', () => { + const filters: esFilters.Filter[] = [ + { + $state: { + store: esFilters.FilterStateStore.GLOBAL_STATE, + }, + meta: { + alias: null, + disabled: false, + key: 'event.category', + negate: false, + params: { + query: 'file', + }, + type: 'phrase', + }, + query: { + match_phrase: { + 'event.category': 'file', + }, + }, + }, + { + $state: { + store: esFilters.FilterStateStore.GLOBAL_STATE, + }, + meta: { + alias: null, + disabled: false, + key: 'event.category', + negate: false, + params: { + query: 'file', + }, + type: 'phrase', + }, + query: { + match_phrase: { + 'event.category': 'file', + }, + }, + }, + ]; + const output = addFilterStateIfNotThere(filters); + const expected: esFilters.Filter[] = [ + { + $state: { + store: esFilters.FilterStateStore.GLOBAL_STATE, + }, + meta: { + alias: null, + disabled: false, + key: 'event.category', + negate: false, + params: { + query: 'file', + }, + type: 'phrase', + }, + query: { + match_phrase: { + 'event.category': 'file', + }, + }, + }, + { + $state: { + store: esFilters.FilterStateStore.GLOBAL_STATE, + }, + meta: { + alias: null, + disabled: false, + key: 'event.category', + negate: false, + params: { + query: 'file', + }, + type: 'phrase', + }, + query: { + match_phrase: { + 'event.category': 'file', + }, + }, + }, + ]; + expect(output).toEqual(expected); + }); + + test('it adds the state if it does not exist as local', () => { + const filters: esFilters.Filter[] = [ + { + meta: { + alias: null, + disabled: false, + key: 'event.category', + negate: false, + params: { + query: 'file', + }, + type: 'phrase', + }, + query: { + match_phrase: { + 'event.category': 'file', + }, + }, + }, + { + meta: { + alias: null, + disabled: false, + key: 'event.category', + negate: false, + params: { + query: 'file', + }, + type: 'phrase', + }, + query: { + match_phrase: { + 'event.category': 'file', + }, + }, + }, + ]; + const output = addFilterStateIfNotThere(filters); + const expected: esFilters.Filter[] = [ + { + $state: { + store: esFilters.FilterStateStore.APP_STATE, + }, + meta: { + alias: null, + disabled: false, + key: 'event.category', + negate: false, + params: { + query: 'file', + }, + type: 'phrase', + }, + query: { + match_phrase: { + 'event.category': 'file', + }, + }, + }, + { + $state: { + store: esFilters.FilterStateStore.APP_STATE, + }, + meta: { + alias: null, + disabled: false, + key: 'event.category', + negate: false, + params: { + query: 'file', + }, + type: 'phrase', + }, + query: { + match_phrase: { + 'event.category': 'file', + }, + }, + }, + ]; + expect(output).toEqual(expected); + }); + }); +}); diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/description_step/index.tsx b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/description_step/index.tsx index f1d2609cde8fe..96c98a67b7662 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/description_step/index.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/description_step/index.tsx @@ -97,6 +97,16 @@ const buildListItems = ( [] ); +export const addFilterStateIfNotThere = (filters: esFilters.Filter[]): esFilters.Filter[] => { + return filters.map(filter => { + if (filter.$state == null) { + return { $state: { store: esFilters.FilterStateStore.APP_STATE }, ...filter }; + } else { + return filter; + } + }); +}; + const getDescriptionItem = ( field: string, label: string, @@ -105,7 +115,7 @@ const getDescriptionItem = ( indexPatterns?: IIndexPattern ): ListItems[] => { if (field === 'queryBar') { - const filters = get('queryBar.filters', value) as esFilters.Filter[]; + const filters = addFilterStateIfNotThere(get('queryBar.filters', value)); const query = get('queryBar.query', value) as Query; const savedId = get('queryBar.saved_id', value); return buildQueryBarDescription({ diff --git a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/details/index.tsx b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/details/index.tsx index 1914f967813a1..7b615d5f159c2 100644 --- a/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/details/index.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/details/index.tsx @@ -24,7 +24,11 @@ import { ActionCreator } from 'typescript-fsa'; import { connect } from 'react-redux'; import { FiltersGlobal } from '../../../../components/filters_global'; import { FormattedDate } from '../../../../components/formatted_date'; -import { DETECTION_ENGINE_PAGE_NAME } from '../../../../components/link_to/redirect_to_detection_engine'; +import { + getDetectionEngineUrl, + getEditRuleUrl, + getRulesUrl, +} from '../../../../components/link_to/redirect_to_detection_engine'; import { SiemSearchBar } from '../../../../components/search_bar'; import { WrapperPage } from '../../../../components/wrapper_page'; import { useRule } from '../../../../containers/detection_engine/rules'; @@ -237,7 +241,7 @@ const RuleDetailsPageComponent: FC = ({ isAuthenticated != null && (!isSignalIndexExists || !isAuthenticated) ) { - return ; + return ; } return ( @@ -257,7 +261,7 @@ const RuleDetailsPageComponent: FC = ({ = ({ diff --git a/x-pack/legacy/plugins/siem/public/pages/hosts/hosts.tsx b/x-pack/legacy/plugins/siem/public/pages/hosts/hosts.tsx index 2c475e4ba6ac5..2e2986fb632b1 100644 --- a/x-pack/legacy/plugins/siem/public/pages/hosts/hosts.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/hosts/hosts.tsx @@ -36,7 +36,7 @@ import { HostsTabs } from './hosts_tabs'; import { navTabsHosts } from './nav_tabs'; import * as i18n from './translations'; import { HostsComponentProps, HostsComponentReduxProps } from './types'; -import { filterAlertsHosts } from './navigation'; +import { filterHostData } from './navigation'; import { HostsTableType } from '../../store/hosts/model'; const KpiHostsComponentManage = manageQuery(KpiHostsComponent); @@ -56,9 +56,9 @@ export const HostsComponent = React.memo( const capabilities = React.useContext(MlCapabilitiesContext); const kibana = useKibana(); const { tabName } = useParams(); - const hostsFilters = React.useMemo(() => { + const tabsFilters = React.useMemo(() => { if (tabName === HostsTableType.alerts) { - return filters.length > 0 ? [...filters, ...filterAlertsHosts] : filterAlertsHosts; + return filters.length > 0 ? [...filters, ...filterHostData] : filterHostData; } return filters; }, [tabName, filters]); @@ -77,7 +77,13 @@ export const HostsComponent = React.memo( config: esQuery.getEsQueryConfig(kibana.services.uiSettings), indexPattern, queries: [query], - filters: hostsFilters, + filters, + }); + const tabsFilterQuery = convertToBuildEsQuery({ + config: esQuery.getEsQueryConfig(kibana.services.uiSettings), + indexPattern, + queries: [query], + filters: tabsFilters, }); return indicesExistOrDataTemporarilyUnavailable(indicesExist) ? ( @@ -123,7 +129,7 @@ export const HostsComponent = React.memo( { const { pageFilters, ...rest } = alertsProps; const hostPageFilters = useMemo( - () => (pageFilters != null ? [...filterAlertsHosts, ...pageFilters] : filterAlertsHosts), + () => (pageFilters != null ? [...filterHostData, ...pageFilters] : filterHostData), [pageFilters] ); diff --git a/x-pack/legacy/plugins/siem/public/pages/hosts/navigation/authentications_query_tab_body.tsx b/x-pack/legacy/plugins/siem/public/pages/hosts/navigation/authentications_query_tab_body.tsx index 0109eeef91463..a6a0344599842 100644 --- a/x-pack/legacy/plugins/siem/public/pages/hosts/navigation/authentications_query_tab_body.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/hosts/navigation/authentications_query_tab_body.tsx @@ -6,7 +6,6 @@ import { getOr } from 'lodash/fp'; import React, { useEffect } from 'react'; -import { EuiSpacer } from '@elastic/eui'; import { AuthenticationTable } from '../../../components/page/hosts/authentications_table'; import { manageQuery } from '../../../components/page/manage_query'; import { AuthenticationsQuery } from '../../../containers/authentications'; @@ -86,7 +85,6 @@ export const AuthenticationsQueryTabBody = ({ type={hostsModel.HostsType.page} updateDateRange={updateDateRange} /> - - ( - + )); NetworkAlertsQueryTabBody.displayName = 'NetworkAlertsQueryTabBody'; diff --git a/x-pack/legacy/plugins/siem/public/pages/network/navigation/conditional_flex_group.tsx b/x-pack/legacy/plugins/siem/public/pages/network/navigation/conditional_flex_group.tsx index 0fcd7fa48f73c..350bbe2b532ba 100644 --- a/x-pack/legacy/plugins/siem/public/pages/network/navigation/conditional_flex_group.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/network/navigation/conditional_flex_group.tsx @@ -9,7 +9,7 @@ import styled from 'styled-components'; export const ConditionalFlexGroup = styled(EuiFlexGroup)` @media only screen and (min-width: 1441px) { - flex-direction: row; + flex-direction: row !important; } `; diff --git a/x-pack/legacy/plugins/siem/public/pages/network/navigation/dns_query_tab_body.tsx b/x-pack/legacy/plugins/siem/public/pages/network/navigation/dns_query_tab_body.tsx index edf2e20eb8c5e..b49849b285d8e 100644 --- a/x-pack/legacy/plugins/siem/public/pages/network/navigation/dns_query_tab_body.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/network/navigation/dns_query_tab_body.tsx @@ -7,7 +7,6 @@ import React, { useEffect, useCallback } from 'react'; import { getOr } from 'lodash/fp'; -import { EuiSpacer } from '@elastic/eui'; import { NetworkDnsTable } from '../../../components/page/network/network_dns_table'; import { NetworkDnsQuery, HISTOGRAM_ID } from '../../../containers/network_dns'; import { manageQuery } from '../../../components/page/manage_query'; @@ -71,7 +70,6 @@ export const DnsQueryTabBody = ({ type={networkModel.NetworkType.page} updateDateRange={updateDateRange} /> - ( const kibana = useKibana(); const { tabName } = useParams(); - const networkFilters = useMemo(() => { + const tabsFilters = useMemo(() => { if (tabName === NetworkRouteType.alerts) { - return filters.length > 0 ? [...filters, ...filterAlertsNetwork] : filterAlertsNetwork; + return filters.length > 0 ? [...filters, ...filterNetworkData] : filterNetworkData; } return filters; }, [tabName, filters]); @@ -76,7 +76,13 @@ const NetworkComponent = React.memo( config: esQuery.getEsQueryConfig(kibana.services.uiSettings), indexPattern, queries: [query], - filters: networkFilters, + filters, + }); + const tabsFilterQuery = convertToBuildEsQuery({ + config: esQuery.getEsQueryConfig(kibana.services.uiSettings), + indexPattern, + queries: [query], + filters: tabsFilters, }); return indicesExistOrDataTemporarilyUnavailable(indicesExist) ? ( @@ -133,7 +139,7 @@ const NetworkComponent = React.memo( void; @@ -51,80 +55,77 @@ interface Props { to: number; } -const ViewAlertsButton = styled(EuiButton)` - margin-left: 8px; -`; +const AlertsByCategoryComponent: React.FC = ({ + deleteQuery, + filters = NO_FILTERS, + from, + hideHeaderChildren = false, + indexPattern, + query = DEFAULT_QUERY, + setAbsoluteRangeDatePicker, + setQuery, + to, +}) => { + useEffect(() => { + return () => { + if (deleteQuery) { + deleteQuery({ id: ID }); + } + }; + }, []); + + const kibana = useKibana(); + const [defaultNumberFormat] = useUiSetting$(DEFAULT_NUMBER_FORMAT); -export const AlertsByCategory = React.memo( - ({ - deleteQuery, - filters = NO_FILTERS, - from, - hideHeaderChildren = false, - indexPattern, - query = DEFAULT_QUERY, - setAbsoluteRangeDatePicker, - setQuery, - to, - }) => { - useEffect(() => { - return () => { - if (deleteQuery) { - deleteQuery({ id: ID }); - } - }; - }, []); + const updateDateRangeCallback = useCallback( + (min: number, max: number) => { + setAbsoluteRangeDatePicker!({ id: 'global', from: min, to: max }); + }, + [setAbsoluteRangeDatePicker] + ); + const alertsCountViewAlertsButton = useMemo( + () => {i18n.VIEW_ALERTS}, + [] + ); - const kibana = useKibana(); - const [defaultNumberFormat] = useUiSetting$(DEFAULT_NUMBER_FORMAT); + const getSubtitle = useCallback( + (totalCount: number) => + `${SHOWING}: ${numeral(totalCount).format(defaultNumberFormat)} ${UNIT(totalCount)}`, + [] + ); - const updateDateRangeCallback = useCallback( - (min: number, max: number) => { - setAbsoluteRangeDatePicker!({ id: 'global', from: min, to: max }); - }, - [setAbsoluteRangeDatePicker] - ); - const alertsCountViewAlertsButton = useMemo( - () => ( - {i18n.VIEW_ALERTS} - ), - [] - ); + const defaultStackByOption = + alertsStackByOptions.find(o => o.text === DEFAULT_STACK_BY) ?? alertsStackByOptions[0]; - const getSubtitle = useCallback( - (totalCount: number) => - `${SHOWING}: ${numeral(totalCount).format(defaultNumberFormat)} ${UNIT(totalCount)}`, - [] - ); + return ( + + ); +}; - return ( - - ); - } -); +AlertsByCategoryComponent.displayName = 'AlertsByCategoryComponent'; -AlertsByCategory.displayName = 'AlertsByCategory'; +export const AlertsByCategory = React.memo(AlertsByCategoryComponent); diff --git a/x-pack/legacy/plugins/siem/public/pages/overview/event_counts/index.test.tsx b/x-pack/legacy/plugins/siem/public/pages/overview/event_counts/index.test.tsx new file mode 100644 index 0000000000000..f5419a3ff50e9 --- /dev/null +++ b/x-pack/legacy/plugins/siem/public/pages/overview/event_counts/index.test.tsx @@ -0,0 +1,51 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { mount } from 'enzyme'; +import React from 'react'; + +import { OverviewHostProps } from '../../../components/page/overview/overview_host'; +import { OverviewNetworkProps } from '../../../components/page/overview/overview_network'; +import { mockIndexPattern, TestProviders } from '../../../mock'; + +import { EventCounts } from '.'; + +describe('EventCounts', () => { + const from = 1579553397080; + const to = 1579639797080; + + test('it filters the `Host events` widget with a `host.name` `exists` filter', () => { + const wrapper = mount( + + + + ); + + expect( + (wrapper + .find('[data-test-subj="overview-host-query"]') + .first() + .props() as OverviewHostProps).filterQuery + ).toContain('[{"bool":{"should":[{"exists":{"field":"host.name"}}]'); + }); + + test('it filters the `Network events` widget with a `source.ip` or `destination.ip` `exists` filter', () => { + const wrapper = mount( + + + + ); + + expect( + (wrapper + .find('[data-test-subj="overview-network-query"]') + .first() + .props() as OverviewNetworkProps).filterQuery + ).toContain( + '{"bool":{"filter":[{"bool":{"should":[{"bool":{"should":[{"exists":{"field":"source.ip"}}],"minimum_should_match":1}},{"bool":{"should":[{"exists":{"field":"destination.ip"}}],"minimum_should_match":1}}],"minimum_should_match":1}}]}}]' + ); + }); +}); diff --git a/x-pack/legacy/plugins/siem/public/pages/overview/event_counts/index.tsx b/x-pack/legacy/plugins/siem/public/pages/overview/event_counts/index.tsx index 2a35dbf96d6d7..b13f723772c95 100644 --- a/x-pack/legacy/plugins/siem/public/pages/overview/event_counts/index.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/overview/event_counts/index.tsx @@ -6,14 +6,20 @@ import { EuiFlexGroup, EuiFlexItem } from '@elastic/eui'; import React from 'react'; -import { esFilters, IIndexPattern, Query } from 'src/plugins/data/public'; import styled from 'styled-components'; import { OverviewHost } from '../../../components/page/overview/overview_host'; import { OverviewNetwork } from '../../../components/page/overview/overview_network'; +import { filterHostData } from '../../hosts/navigation/alerts_query_tab_body'; import { useKibana } from '../../../lib/kibana'; import { convertToBuildEsQuery } from '../../../lib/keury'; -import { esQuery } from '../../../../../../../../src/plugins/data/public'; +import { filterNetworkData } from '../../network/navigation/alerts_query_tab_body'; +import { + esFilters, + esQuery, + IIndexPattern, + Query, +} from '../../../../../../../../src/plugins/data/public'; import { inputsModel } from '../../../store'; const HorizontalSpacer = styled(EuiFlexItem)` @@ -56,7 +62,7 @@ const EventCountsComponent: React.FC = ({ config: esQuery.getEsQueryConfig(kibana.services.uiSettings), indexPattern, queries: [query], - filters, + filters: [...filters, ...filterHostData], })} startDate={from} setQuery={setQuery} @@ -72,7 +78,7 @@ const EventCountsComponent: React.FC = ({ config: esQuery.getEsQueryConfig(kibana.services.uiSettings), indexPattern, queries: [query], - filters, + filters: [...filters, ...filterNetworkData], })} startDate={from} setQuery={setQuery} diff --git a/x-pack/legacy/plugins/siem/public/pages/overview/events_by_dataset/index.tsx b/x-pack/legacy/plugins/siem/public/pages/overview/events_by_dataset/index.tsx index 191b4a2592695..3269c1e585f5a 100644 --- a/x-pack/legacy/plugins/siem/public/pages/overview/events_by_dataset/index.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/overview/events_by_dataset/index.tsx @@ -7,8 +7,6 @@ import { EuiButton } from '@elastic/eui'; import numeral from '@elastic/numeral'; import React, { useCallback, useEffect, useMemo } from 'react'; -import { esFilters, IIndexPattern, Query } from 'src/plugins/data/public'; -import styled from 'styled-components'; import { ERROR_FETCHING_EVENTS_DATA, @@ -20,10 +18,14 @@ import { SetAbsoluteRangeDatePicker } from '../../network/types'; import { getTabsOnHostsUrl } from '../../../components/link_to/redirect_to_hosts'; import { MatrixHistogramContainer } from '../../../containers/matrix_histogram'; import { MatrixHistogramGqlQuery } from '../../../containers/matrix_histogram/index.gql_query'; -import { MatrixHistogramOption } from '../../../components/matrix_histogram/types'; import { eventsStackByOptions } from '../../hosts/navigation'; import { useKibana, useUiSetting$ } from '../../../lib/kibana'; -import { esQuery } from '../../../../../../../../src/plugins/data/public'; +import { + esFilters, + esQuery, + IIndexPattern, + Query, +} from '../../../../../../../../src/plugins/data/public'; import { inputsModel } from '../../../store'; import { HostsTableType, HostsType } from '../../../store/hosts/model'; import { DEFAULT_NUMBER_FORMAT } from '../../../../common/constants'; @@ -32,6 +34,7 @@ import * as i18n from '../translations'; const NO_FILTERS: esFilters.Filter[] = []; const DEFAULT_QUERY: Query = { query: '', language: 'kuery' }; +const DEFAULT_STACK_BY = 'event.dataset'; const ID = 'eventsByDatasetOverview'; @@ -51,85 +54,82 @@ interface Props { to: number; } -const ViewEventsButton = styled(EuiButton)` - margin-left: 8px; -`; +const EventsByDatasetComponent: React.FC = ({ + deleteQuery, + filters = NO_FILTERS, + from, + indexPattern, + query = DEFAULT_QUERY, + setAbsoluteRangeDatePicker, + setQuery, + to, +}) => { + useEffect(() => { + return () => { + if (deleteQuery) { + deleteQuery({ id: ID }); + } + }; + }, []); + + const kibana = useKibana(); + const [defaultNumberFormat] = useUiSetting$(DEFAULT_NUMBER_FORMAT); + + const updateDateRangeCallback = useCallback( + (min: number, max: number) => { + setAbsoluteRangeDatePicker!({ id: 'global', from: min, to: max }); + }, + [setAbsoluteRangeDatePicker] + ); + const eventsCountViewEventsButton = useMemo( + () => {i18n.VIEW_EVENTS}, + [] + ); -export const EventsByDataset = React.memo( - ({ - deleteQuery, - filters = NO_FILTERS, - from, - indexPattern, - query = DEFAULT_QUERY, - setAbsoluteRangeDatePicker, - setQuery, - to, - }) => { - useEffect(() => { - return () => { - if (deleteQuery) { - deleteQuery({ id: ID }); - } - }; - }, []); + const getSubtitle = useCallback( + (totalCount: number) => + `${SHOWING}: ${numeral(totalCount).format(defaultNumberFormat)} ${UNIT(totalCount)}`, + [] + ); - const kibana = useKibana(); - const [defaultNumberFormat] = useUiSetting$(DEFAULT_NUMBER_FORMAT); + const defaultStackByOption = + eventsStackByOptions.find(o => o.text === DEFAULT_STACK_BY) ?? eventsStackByOptions[0]; - const updateDateRangeCallback = useCallback( - (min: number, max: number) => { - setAbsoluteRangeDatePicker!({ id: 'global', from: min, to: max }); - }, - [setAbsoluteRangeDatePicker] - ); - const eventsCountViewEventsButton = useMemo( - () => ( - - {i18n.VIEW_EVENTS} - - ), - [] - ); + const filterQuery = useMemo( + () => + convertToBuildEsQuery({ + config: esQuery.getEsQueryConfig(kibana.services.uiSettings), + indexPattern, + queries: [query], + filters, + }), + [kibana, indexPattern, query, filters] + ); - const getTitle = useCallback( - (option: MatrixHistogramOption) => i18n.EVENTS_COUNT_BY(option.text), - [] - ); - const getSubtitle = useCallback( - (totalCount: number) => - `${SHOWING}: ${numeral(totalCount).format(defaultNumberFormat)} ${UNIT(totalCount)}`, - [] - ); + return ( + + ); +}; - return ( - - ); - } -); +EventsByDatasetComponent.displayName = 'EventsByDatasetComponent'; -EventsByDataset.displayName = 'EventsByDataset'; +export const EventsByDataset = React.memo(EventsByDatasetComponent); diff --git a/x-pack/legacy/plugins/siem/public/pages/overview/overview.tsx b/x-pack/legacy/plugins/siem/public/pages/overview/overview.tsx index 9ce7b8b0f71dc..2009878a51c61 100644 --- a/x-pack/legacy/plugins/siem/public/pages/overview/overview.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/overview/overview.tsx @@ -64,55 +64,57 @@ const OverviewComponent: React.FC = ({ {({ from, deleteQuery, setQuery, to }) => ( - <> - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + )} diff --git a/x-pack/legacy/plugins/siem/public/pages/overview/overview_empty/index.tsx b/x-pack/legacy/plugins/siem/public/pages/overview/overview_empty/index.tsx index 43883515574ac..9565b764b09e7 100644 --- a/x-pack/legacy/plugins/siem/public/pages/overview/overview_empty/index.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/overview/overview_empty/index.tsx @@ -13,7 +13,7 @@ import { useKibana } from '../../../lib/kibana'; const basePath = chrome.getBasePath(); -export const OverviewEmpty = React.memo(() => { +const OverviewEmptyComponent: React.FC = () => { const docLinks = useKibana().services.docLinks; return ( @@ -30,6 +30,8 @@ export const OverviewEmpty = React.memo(() => { title={i18nCommon.EMPTY_TITLE} /> ); -}); +}; -OverviewEmpty.displayName = 'OverviewEmpty'; +OverviewEmptyComponent.displayName = 'OverviewEmptyComponent'; + +export const OverviewEmpty = React.memo(OverviewEmptyComponent); diff --git a/x-pack/legacy/plugins/siem/public/pages/overview/signals_by_category/index.tsx b/x-pack/legacy/plugins/siem/public/pages/overview/signals_by_category/index.tsx index fcf726723bdc1..7b25c6838a787 100644 --- a/x-pack/legacy/plugins/siem/public/pages/overview/signals_by_category/index.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/overview/signals_by_category/index.tsx @@ -5,16 +5,18 @@ */ import React, { useCallback } from 'react'; -import { esFilters, IIndexPattern, Query } from 'src/plugins/data/public'; -import { useSignalIndex } from '../../../containers/detection_engine/signals/use_signal_index'; import { SignalsHistogramPanel } from '../../detection_engine/components/signals_histogram_panel'; +import { signalsHistogramOptions } from '../../detection_engine/components/signals_histogram_panel/config'; +import { useSignalIndex } from '../../../containers/detection_engine/signals/use_signal_index'; import { SetAbsoluteRangeDatePicker } from '../../network/types'; +import { esFilters, IIndexPattern, Query } from '../../../../../../../../src/plugins/data/public'; import { inputsModel } from '../../../store'; import * as i18n from '../translations'; -const NO_FILTERS: esFilters.Filter[] = []; const DEFAULT_QUERY: Query = { query: '', language: 'kuery' }; +const DEFAULT_STACK_BY = 'signal.rule.threat.tactic.name'; +const NO_FILTERS: esFilters.Filter[] = []; interface Props { deleteQuery?: ({ id }: { id: string }) => void; @@ -32,47 +34,46 @@ interface Props { to: number; } -export const SignalsByCategory = React.memo( - ({ - deleteQuery, - filters = NO_FILTERS, - from, - query = DEFAULT_QUERY, - setAbsoluteRangeDatePicker, - setQuery, - to, - }) => { - const updateDateRangeCallback = useCallback( - (min: number, max: number) => { - setAbsoluteRangeDatePicker!({ id: 'global', from: min, to: max }); - }, - [setAbsoluteRangeDatePicker] - ); - const defaultStackByOption = { - text: `${i18n.SIGNALS_BY_CATEGORY}`, - value: 'signal.rule.threat', - }; +const SignalsByCategoryComponent: React.FC = ({ + deleteQuery, + filters = NO_FILTERS, + from, + query = DEFAULT_QUERY, + setAbsoluteRangeDatePicker, + setQuery, + to, +}) => { + const { signalIndexName } = useSignalIndex(); + const updateDateRangeCallback = useCallback( + (min: number, max: number) => { + setAbsoluteRangeDatePicker!({ id: 'global', from: min, to: max }); + }, + [setAbsoluteRangeDatePicker] + ); + + const defaultStackByOption = + signalsHistogramOptions.find(o => o.text === DEFAULT_STACK_BY) ?? signalsHistogramOptions[0]; - const { signalIndexName } = useSignalIndex(); + return ( + + ); +}; - return ( - - ); - } -); +SignalsByCategoryComponent.displayName = 'SignalsByCategoryComponent'; -SignalsByCategory.displayName = 'SignalsByCategory'; +export const SignalsByCategory = React.memo(SignalsByCategoryComponent); diff --git a/x-pack/legacy/plugins/siem/public/pages/overview/translations.ts b/x-pack/legacy/plugins/siem/public/pages/overview/translations.ts index 656abd3dc0570..e20083bf51772 100644 --- a/x-pack/legacy/plugins/siem/public/pages/overview/translations.ts +++ b/x-pack/legacy/plugins/siem/public/pages/overview/translations.ts @@ -6,21 +6,13 @@ import { i18n } from '@kbn/i18n'; -export const ALERTS_COUNT_BY = (groupByField: string) => - i18n.translate('xpack.siem.overview.alertsCountByTitle', { - values: { groupByField }, - defaultMessage: 'Alerts count by {groupByField}', - }); - export const ALERTS_GRAPH_TITLE = i18n.translate('xpack.siem.overview.alertsGraphTitle', { defaultMessage: 'External alerts count', }); -export const EVENTS_COUNT_BY = (groupByField: string) => - i18n.translate('xpack.siem.overview.eventsCountByTitle', { - values: { groupByField }, - defaultMessage: 'Events count by {groupByField}', - }); +export const EVENTS = i18n.translate('xpack.siem.overview.eventsTitle', { + defaultMessage: 'Events count', +}); export const NEWS_FEED_TITLE = i18n.translate('xpack.siem.overview.newsFeedSidebarTitle', { defaultMessage: 'Security news', @@ -38,8 +30,8 @@ export const RECENT_TIMELINES = i18n.translate('xpack.siem.overview.recentTimeli defaultMessage: 'Recent timelines', }); -export const SIGNALS_BY_CATEGORY = i18n.translate('xpack.siem.overview.signalsByCategoryTitle', { - defaultMessage: 'Signals count by MITRE ATT&CK\\u2122 category', +export const SIGNAL_COUNT = i18n.translate('xpack.siem.overview.signalCountTitle', { + defaultMessage: 'Signals count', }); export const VIEW_ALERTS = i18n.translate('xpack.siem.overview.viewAlertsButtonLabel', { diff --git a/x-pack/legacy/plugins/siem/public/plugin.tsx b/x-pack/legacy/plugins/siem/public/plugin.tsx index 057ed3a91c3b9..7911b5eb9833b 100644 --- a/x-pack/legacy/plugins/siem/public/plugin.tsx +++ b/x-pack/legacy/plugins/siem/public/plugin.tsx @@ -14,6 +14,7 @@ import { import { HomePublicPluginSetup } from '../../../../../src/plugins/home/public'; import { DataPublicPluginStart } from '../../../../../src/plugins/data/public'; import { IEmbeddableStart } from '../../../../../src/plugins/embeddable/public'; +import { Start as NewsfeedStart } from '../../../../../src/plugins/newsfeed/public'; import { Start as InspectorStart } from '../../../../../src/plugins/inspector/public'; import { IUiActionsStart } from '../../../../../src/plugins/ui_actions/public'; import { UsageCollectionSetup } from '../../../../../src/plugins/usage_collection/public'; @@ -29,6 +30,7 @@ export interface StartPlugins { data: DataPublicPluginStart; embeddable: IEmbeddableStart; inspector: InspectorStart; + newsfeed?: NewsfeedStart; uiActions: IUiActionsStart; } export type StartServices = CoreStart & StartPlugins; diff --git a/x-pack/legacy/plugins/siem/public/utils/logo_endpoint/64_color.svg b/x-pack/legacy/plugins/siem/public/utils/logo_endpoint/64_color.svg new file mode 100644 index 0000000000000..b03007a76ffcc --- /dev/null +++ b/x-pack/legacy/plugins/siem/public/utils/logo_endpoint/64_color.svg @@ -0,0 +1,7 @@ + + + + + + + diff --git a/x-pack/legacy/plugins/siem/server/graphql/ecs/schema.gql.ts b/x-pack/legacy/plugins/siem/server/graphql/ecs/schema.gql.ts index 730e6b884a182..f897236b3470e 100644 --- a/x-pack/legacy/plugins/siem/server/graphql/ecs/schema.gql.ts +++ b/x-pack/legacy/plugins/siem/server/graphql/ecs/schema.gql.ts @@ -417,6 +417,10 @@ export const ecsSchema = gql` original_time: ToStringArray } + type RuleEcsField { + reference: ToStringArray + } + type ECS { _id: String! _index: String @@ -428,6 +432,7 @@ export const ecsSchema = gql` geo: GeoEcsFields host: HostEcsFields network: NetworkEcsField + rule: RuleEcsField signal: SignalField source: SourceEcsFields suricata: SuricataEcsFields diff --git a/x-pack/legacy/plugins/siem/server/graphql/types.ts b/x-pack/legacy/plugins/siem/server/graphql/types.ts index 303262ece5c7f..c3fd6e9dde286 100644 --- a/x-pack/legacy/plugins/siem/server/graphql/types.ts +++ b/x-pack/legacy/plugins/siem/server/graphql/types.ts @@ -793,6 +793,8 @@ export interface Ecs { network?: Maybe; + rule?: Maybe; + signal?: Maybe; source?: Maybe; @@ -972,6 +974,10 @@ export interface NetworkEcsField { transport?: Maybe; } +export interface RuleEcsField { + reference?: Maybe; +} + export interface SignalField { rule?: Maybe; @@ -4279,6 +4285,8 @@ export namespace EcsResolvers { network?: NetworkResolver, TypeParent, TContext>; + rule?: RuleResolver, TypeParent, TContext>; + signal?: SignalResolver, TypeParent, TContext>; source?: SourceResolver, TypeParent, TContext>; @@ -4358,6 +4366,11 @@ export namespace EcsResolvers { Parent = Ecs, TContext = SiemContext > = Resolver; + export type RuleResolver< + R = Maybe, + Parent = Ecs, + TContext = SiemContext + > = Resolver; export type SignalResolver< R = Maybe, Parent = Ecs, @@ -4935,6 +4948,18 @@ export namespace NetworkEcsFieldResolvers { > = Resolver; } +export namespace RuleEcsFieldResolvers { + export interface Resolvers { + reference?: ReferenceResolver, TypeParent, TContext>; + } + + export type ReferenceResolver< + R = Maybe, + Parent = RuleEcsField, + TContext = SiemContext + > = Resolver; +} + export namespace SignalFieldResolvers { export interface Resolvers { rule?: RuleResolver, TypeParent, TContext>; @@ -9231,6 +9256,7 @@ export type IResolvers = { EndgameEcsFields?: EndgameEcsFieldsResolvers.Resolvers; EventEcsFields?: EventEcsFieldsResolvers.Resolvers; NetworkEcsField?: NetworkEcsFieldResolvers.Resolvers; + RuleEcsField?: RuleEcsFieldResolvers.Resolvers; SignalField?: SignalFieldResolvers.Resolvers; RuleField?: RuleFieldResolvers.Resolvers; SuricataEcsFields?: SuricataEcsFieldsResolvers.Resolvers; diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts index d950d89eb22a6..eea25a1e89cc8 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts @@ -269,8 +269,6 @@ export const getResult = (): RuleAlertType => ({ alertTypeId: 'siem.signals', consumer: 'siem', params: { - createdAt: '2019-12-13T16:40:33.400Z', - updatedAt: '2019-12-13T16:40:33.400Z', description: 'Detecting root and admin users', ruleId: 'rule-1', index: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'], diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/index/signals_mapping.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/index/signals_mapping.json index 4986c100f1b0b..714b39d1557a1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/index/signals_mapping.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/index/signals_mapping.json @@ -23,7 +23,20 @@ } }, "ancestors": { - "type": "object" + "properties": { + "rule": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "depth": { + "type": "long" + } + } }, "rule": { "properties": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_bulk_route.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_bulk_route.ts index 68375043070f8..0ffa61e2e2bed 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_bulk_route.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_bulk_route.ts @@ -51,7 +51,6 @@ export const createCreateRulesBulkRoute = (server: ServerFacade): Hapi.ServerRou const rules = await Promise.all( request.payload.map(async payloadRule => { const { - created_at: createdAt, description, enabled, false_positives: falsePositives, @@ -73,7 +72,6 @@ export const createCreateRulesBulkRoute = (server: ServerFacade): Hapi.ServerRou threat, to, type, - updated_at: updatedAt, references, timeline_id: timelineId, timeline_title: timelineTitle, @@ -104,7 +102,6 @@ export const createCreateRulesBulkRoute = (server: ServerFacade): Hapi.ServerRou const createdRule = await createRules({ alertsClient, actionsClient, - createdAt, description, enabled, falsePositives, @@ -129,7 +126,6 @@ export const createCreateRulesBulkRoute = (server: ServerFacade): Hapi.ServerRou to, type, threat, - updatedAt, references, version, }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_route.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_route.ts index c631ed8f784ab..ec1df238f9483 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_route.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_route.ts @@ -35,7 +35,6 @@ export const createCreateRulesRoute = (server: ServerFacade): Hapi.ServerRoute = }, async handler(request: RulesRequest, headers) { const { - created_at: createdAt, description, enabled, false_positives: falsePositives, @@ -59,7 +58,6 @@ export const createCreateRulesRoute = (server: ServerFacade): Hapi.ServerRoute = threat, to, type, - updated_at: updatedAt, references, } = request.payload; const alertsClient = isFunction(request.getAlertsClient) ? request.getAlertsClient() : null; @@ -91,7 +89,6 @@ export const createCreateRulesRoute = (server: ServerFacade): Hapi.ServerRoute = const createdRule = await createRules({ alertsClient, actionsClient, - createdAt, description, enabled, falsePositives, @@ -116,7 +113,6 @@ export const createCreateRulesRoute = (server: ServerFacade): Hapi.ServerRoute = to, type, threat, - updatedAt, references, version: 1, }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/import_rules_route.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/import_rules_route.ts index 88a31c36a87fc..71fdef3623bc7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/import_rules_route.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/import_rules_route.ts @@ -130,7 +130,6 @@ export const createImportRulesRoute = (server: ServerFacade): Hapi.ServerRoute = const createdRule = await createRules({ alertsClient, actionsClient, - createdAt: new Date().toISOString(), description, enabled, falsePositives, @@ -155,7 +154,6 @@ export const createImportRulesRoute = (server: ServerFacade): Hapi.ServerRoute = to, type, threat, - updatedAt: new Date().toISOString(), references, version, }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.ts index 663ddf3a835a6..b45db53c13d88 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.ts @@ -81,8 +81,8 @@ export const transformAlertToRule = ( ruleStatus?: SavedObject ): Partial => { return pickBy((value: unknown) => value != null, { - created_at: alert.params.createdAt, - updated_at: alert.params.updatedAt, + created_at: alert.createdAt.toISOString(), + updated_at: alert.updatedAt.toISOString(), created_by: alert.createdBy, description: alert.params.description, enabled: alert.enabled, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules.ts index 30e8c4dbf9d88..82fe16882882e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules.ts @@ -45,7 +45,6 @@ export const createRules = ({ alertTypeId: SIGNALS_ID, consumer: APP_ID, params: { - createdAt: new Date().toISOString(), description, ruleId, index, @@ -66,7 +65,6 @@ export const createRules = ({ threat, to, type, - updatedAt: new Date().toISOString(), references, version, }, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/install_prepacked_rules.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/install_prepacked_rules.ts index 7e8ed62baf1cf..07e8c6940e747 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/install_prepacked_rules.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/install_prepacked_rules.ts @@ -75,8 +75,6 @@ export const installPrepackagedRules = ( threat, references, version, - createdAt: new Date().toISOString(), - updatedAt: new Date().toISOString(), }), ]; }, []); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/NOTICE.txt b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/NOTICE.txt deleted file mode 100644 index cd5f1cc6f886c..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/NOTICE.txt +++ /dev/null @@ -1,20 +0,0 @@ -This product bundles rules based on https://github.com/BlueTeamLabs/sentinel-attack -which is available under a "MIT" license. The files based on this license are: - -- windows_defense_evasion_via_filter_manager.json -- windows_process_discovery_via_tasklist_command.json -- windows_priv_escalation_via_accessibility_features.json -- windows_persistence_via_application_shimming.json -- windows_execution_via_trusted_developer_utilities.json -- windows_execution_via_net_com_assemblies.json -- windows_execution_via_connection_manager.json - -MIT License - -Copyright (c) 2019 Edoardo Gerosa, Olaf Hartong - -Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts index cd6d899133bff..b454501e9f563 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/index.ts @@ -69,57 +69,56 @@ import rule59 from './linux_nping_activity.json'; import rule60 from './linux_process_started_in_temp_directory.json'; import rule61 from './linux_shell_activity_by_web_server.json'; import rule62 from './linux_socat_activity.json'; -import rule63 from './linux_ssh_forwarding.json'; -import rule64 from './linux_strace_activity.json'; -import rule65 from './linux_tcpdump_activity.json'; -import rule66 from './linux_whoami_commmand.json'; -import rule67 from './network_dns_directly_to_the_internet.json'; -import rule68 from './network_ftp_file_transfer_protocol_activity_to_the_internet.json'; -import rule69 from './network_irc_internet_relay_chat_protocol_activity_to_the_internet.json'; -import rule70 from './network_nat_traversal_port_activity.json'; -import rule71 from './network_port_26_activity.json'; -import rule72 from './network_port_8000_activity_to_the_internet.json'; -import rule73 from './network_pptp_point_to_point_tunneling_protocol_activity.json'; -import rule74 from './network_proxy_port_activity_to_the_internet.json'; -import rule75 from './network_rdp_remote_desktop_protocol_from_the_internet.json'; -import rule76 from './network_rdp_remote_desktop_protocol_to_the_internet.json'; -import rule77 from './network_rpc_remote_procedure_call_from_the_internet.json'; -import rule78 from './network_rpc_remote_procedure_call_to_the_internet.json'; -import rule79 from './network_smb_windows_file_sharing_activity_to_the_internet.json'; -import rule80 from './network_smtp_to_the_internet.json'; -import rule81 from './network_sql_server_port_activity_to_the_internet.json'; -import rule82 from './network_ssh_secure_shell_from_the_internet.json'; -import rule83 from './network_ssh_secure_shell_to_the_internet.json'; -import rule84 from './network_telnet_port_activity.json'; -import rule85 from './network_tor_activity_to_the_internet.json'; -import rule86 from './network_vnc_virtual_network_computing_from_the_internet.json'; -import rule87 from './network_vnc_virtual_network_computing_to_the_internet.json'; -import rule88 from './null_user_agent.json'; -import rule89 from './sqlmap_user_agent.json'; -import rule90 from './windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json'; -import rule91 from './windows_certutil_connecting_to_the_internet.json'; -import rule92 from './windows_command_prompt_connecting_to_the_internet.json'; -import rule93 from './windows_command_shell_started_by_internet_explorer.json'; -import rule94 from './windows_command_shell_started_by_powershell.json'; -import rule95 from './windows_command_shell_started_by_svchost.json'; -import rule96 from './windows_defense_evasion_via_filter_manager.json'; -import rule97 from './windows_execution_via_compiled_html_file.json'; -import rule98 from './windows_execution_via_connection_manager.json'; -import rule99 from './windows_execution_via_net_com_assemblies.json'; -import rule100 from './windows_execution_via_regsvr32.json'; -import rule101 from './windows_execution_via_trusted_developer_utilities.json'; -import rule102 from './windows_html_help_executable_program_connecting_to_the_internet.json'; -import rule103 from './windows_misc_lolbin_connecting_to_the_internet.json'; -import rule104 from './windows_net_command_activity_by_the_system_account.json'; -import rule105 from './windows_persistence_via_application_shimming.json'; -import rule106 from './windows_priv_escalation_via_accessibility_features.json'; -import rule107 from './windows_process_discovery_via_tasklist_command.json'; -import rule108 from './windows_process_execution_via_wmi.json'; -import rule109 from './windows_register_server_program_connecting_to_the_internet.json'; -import rule110 from './windows_signed_binary_proxy_execution.json'; -import rule111 from './windows_signed_binary_proxy_execution_download.json'; -import rule112 from './windows_suspicious_process_started_by_a_script.json'; -import rule113 from './windows_whoami_command_activity.json'; +import rule63 from './linux_strace_activity.json'; +import rule64 from './linux_tcpdump_activity.json'; +import rule65 from './linux_whoami_commmand.json'; +import rule66 from './network_dns_directly_to_the_internet.json'; +import rule67 from './network_ftp_file_transfer_protocol_activity_to_the_internet.json'; +import rule68 from './network_irc_internet_relay_chat_protocol_activity_to_the_internet.json'; +import rule69 from './network_nat_traversal_port_activity.json'; +import rule70 from './network_port_26_activity.json'; +import rule71 from './network_port_8000_activity_to_the_internet.json'; +import rule72 from './network_pptp_point_to_point_tunneling_protocol_activity.json'; +import rule73 from './network_proxy_port_activity_to_the_internet.json'; +import rule74 from './network_rdp_remote_desktop_protocol_from_the_internet.json'; +import rule75 from './network_rdp_remote_desktop_protocol_to_the_internet.json'; +import rule76 from './network_rpc_remote_procedure_call_from_the_internet.json'; +import rule77 from './network_rpc_remote_procedure_call_to_the_internet.json'; +import rule78 from './network_smb_windows_file_sharing_activity_to_the_internet.json'; +import rule79 from './network_smtp_to_the_internet.json'; +import rule80 from './network_sql_server_port_activity_to_the_internet.json'; +import rule81 from './network_ssh_secure_shell_from_the_internet.json'; +import rule82 from './network_ssh_secure_shell_to_the_internet.json'; +import rule83 from './network_telnet_port_activity.json'; +import rule84 from './network_tor_activity_to_the_internet.json'; +import rule85 from './network_vnc_virtual_network_computing_from_the_internet.json'; +import rule86 from './network_vnc_virtual_network_computing_to_the_internet.json'; +import rule87 from './null_user_agent.json'; +import rule88 from './sqlmap_user_agent.json'; +import rule89 from './windows_background_intelligent_transfer_service_bits_connecting_to_the_internet.json'; +import rule90 from './windows_certutil_connecting_to_the_internet.json'; +import rule91 from './windows_command_prompt_connecting_to_the_internet.json'; +import rule92 from './windows_command_shell_started_by_internet_explorer.json'; +import rule93 from './windows_command_shell_started_by_powershell.json'; +import rule94 from './windows_command_shell_started_by_svchost.json'; +import rule95 from './windows_defense_evasion_via_filter_manager.json'; +import rule96 from './windows_execution_via_compiled_html_file.json'; +import rule97 from './windows_execution_via_connection_manager.json'; +import rule98 from './windows_execution_via_net_com_assemblies.json'; +import rule99 from './windows_execution_via_regsvr32.json'; +import rule100 from './windows_execution_via_trusted_developer_utilities.json'; +import rule101 from './windows_html_help_executable_program_connecting_to_the_internet.json'; +import rule102 from './windows_misc_lolbin_connecting_to_the_internet.json'; +import rule103 from './windows_net_command_activity_by_the_system_account.json'; +import rule104 from './windows_persistence_via_application_shimming.json'; +import rule105 from './windows_priv_escalation_via_accessibility_features.json'; +import rule106 from './windows_process_discovery_via_tasklist_command.json'; +import rule107 from './windows_process_execution_via_wmi.json'; +import rule108 from './windows_register_server_program_connecting_to_the_internet.json'; +import rule109 from './windows_signed_binary_proxy_execution.json'; +import rule110 from './windows_signed_binary_proxy_execution_download.json'; +import rule111 from './windows_suspicious_process_started_by_a_script.json'; +import rule112 from './windows_whoami_command_activity.json'; export const rawRules = [ rule1, rule2, @@ -233,5 +232,4 @@ export const rawRules = [ rule110, rule111, rule112, - rule113, ]; diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json index c7d856cbe61f3..ac817762fdb71 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json @@ -32,7 +32,7 @@ { "id": "T1100", "name": "Web Shell", - "reference": "https://attack.mitre.org/techniques/T1215/" + "reference": "https://attack.mitre.org/techniques/T1100/" } ] } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json deleted file mode 100644 index 3b61814ab66fd..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_ssh_forwarding.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "description": "An SSH processes ran with the `-R` flag which can be used to forward a port to a remote destination for purposes of pivoting and persistence. This technique often used to create encrypted tunnels and circumvent firewalls, security groups or network access lists.", - "false_positives": [ - "Some normal use of this command may originate from usage by engineers as an alternative or ad-hoc remote access solution. Use of this command by non-administrative users is uncommon." - ], - "index": [ - "auditbeat-*" - ], - "language": "kuery", - "max_signals": 33, - "name": "Potential Lateral Movement via SSH Port Forwarding", - "query": "process.name:ssh and process.args:\"-R\" and event.action:executed", - "references": [ - "https://www.ssh.com/ssh/tunneling", - "https://www.ssh.com/ssh/tunneling/example" - ], - "risk_score": 47, - "rule_id": "45d256ab-e665-445b-8306-2f83a8db59f8", - "severity": "medium", - "tags": [ - "Elastic", - "Linux" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1184", - "name": "SSH Hijacking", - "reference": "https://attack.mitre.org/techniques/T1184/" - } - ] - } - ], - "type": "query", - "version": 1 -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json index 6f8bc112fd011..f5488ae49d0fb 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_strace_activity.json @@ -1,5 +1,5 @@ { - "description": "Strace runs in a privileged context and can be used to escape restrictive environments by instantiating a shell in order to elevate privlieges or move laterally.", + "description": "Strace runs in a privileged context and can be used to escape restrictive environments by instantiating a shell in order to elevate privileges or move laterally.", "false_positives": [ "Strace is a dual-use tool that can be used for benign or malicious activity. Some normal use of this command may originate from developers or SREs engaged in debugging or system call tracing." ], diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json index 59db16c7b7d3d..352fc5e44dc80 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_port_26_activity.json @@ -49,7 +49,7 @@ }, "technique": [ { - "id": "T1043", + "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "reference": "https://attack.mitre.org/techniques/T1048/" } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json index 76528da19a57c..e3853c30e6ad9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rdp_remote_desktop_protocol_from_the_internet.json @@ -45,7 +45,7 @@ }, "technique": [ { - "id": "T1190", + "id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/" } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json index ca6715ac48785..1570d3d155fea 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_rpc_remote_procedure_call_from_the_internet.json @@ -29,7 +29,7 @@ { "id": "T1190", "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1043/" + "reference": "https://attack.mitre.org/techniques/T1190/" } ] } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json index ee47dff73db40..991c626c11d33 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/network_smb_windows_file_sharing_activity_to_the_internet.json @@ -42,7 +42,7 @@ }, "technique": [ { - "id": "T1043", + "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "reference": "https://attack.mitre.org/techniques/T1048/" } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/notice.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/notice.ts new file mode 100644 index 0000000000000..cd24d823b8cd6 --- /dev/null +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/notice.ts @@ -0,0 +1,36 @@ +/* eslint-disable @kbn/eslint/require-license-header */ + +/* @notice + * This product bundles rules based on https://github.com/BlueTeamLabs/sentinel-attack + * which is available under a "MIT" license. The files based on this license are: + * + * - windows_defense_evasion_via_filter_manager.json + * - windows_process_discovery_via_tasklist_command.json + * - windows_priv_escalation_via_accessibility_features.json + * - windows_persistence_via_application_shimming.json + * - windows_execution_via_trusted_developer_utilities.json + * - windows_execution_via_net_com_assemblies.json + * - windows_execution_via_connection_manager.json + * + * MIT License + * + * Copyright (c) 2019 Edoardo Gerosa, Olaf Hartong + * + * Permission is hereby granted, free of charge, to any person obtaining a copy of + * this software and associated documentation files (the "Software"), to deal in + * the Software without restriction, including without limitation the rights to + * use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies + * of the Software, and to permit persons to whom the Software is furnished to do + * so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json index 87a3119ac780d..7975c30a4ea38 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/null_user_agent.json @@ -1,7 +1,7 @@ { "description": "A request to a web application server contained no identifying user agent string.", "false_positives": [ - "Some normal applications and scripts may contain no user agent. Most legitmate web requests from the Internet contain a user agent string. Requests from web browsers almost always contain a user agent string. If the source is unexpected, or the user is unauthorized, or the request is unusual, these may be suspicious or malicious activity." + "Some normal applications and scripts may contain no user agent. Most legitimate web requests from the Internet contain a user agent string. Requests from web browsers almost always contain a user agent string. If the source is unexpected, or the user is unauthorized, or the request is unusual, these may be suspicious or malicious activity." ], "filters": [ { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json index 72d85dcbffc06..44e112d09a45b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/sqlmap_user_agent.json @@ -1,7 +1,7 @@ { "description": "This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11 which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities. ", "false_positives": [ - "This signal does not indicate that a SQL injection attack occured, only that the sqlmap tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity." + "This signal does not indicate that a SQL injection attack occurred, only that the sqlmap tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity." ], "index": [ "apm-*-transaction*" diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/update_rules.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/update_rules.ts index 8234b931ad89a..634c0d5a52cb1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/update_rules.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/update_rules.ts @@ -5,6 +5,7 @@ */ import { defaults, pickBy, isEmpty } from 'lodash/fp'; +import { PartialAlert } from '../../../../../alerting/server/types'; import { readRules } from './read_rules'; import { UpdateRuleParams, IRuleSavedAttributesSavedObjectAttributes } from './types'; import { addTags } from './add_tags'; @@ -108,7 +109,7 @@ export const updateRules = async ({ type, references, version, -}: UpdateRuleParams) => { +}: UpdateRuleParams): Promise => { const rule = await readRules({ alertsClient, ruleId, id }); if (rule == null) { return null; @@ -164,12 +165,23 @@ export const updateRules = async ({ threat, to, type, - updatedAt: new Date().toISOString(), references, version: calculatedVersion, } ); + const update = await alertsClient.update({ + id: rule.id, + data: { + tags: addTags(tags ?? rule.tags, rule.params.ruleId, immutable ?? rule.params.immutable), + name: calculateName({ updatedName: name, originalName: rule.name }), + schedule: { + interval: calculateInterval(interval, rule.schedule.interval), + }, + actions: rule.actions, + params: nextParams, + }, + }); if (rule.enabled && enabled === false) { await alertsClient.disable({ id: rule.id }); } else if (!rule.enabled && enabled === true) { @@ -195,16 +207,10 @@ export const updateRules = async ({ } else { // enabled is null or undefined and we do not touch the rule } - return alertsClient.update({ - id: rule.id, - data: { - tags: addTags(tags ?? rule.tags, rule.params.ruleId, immutable ?? rule.params.immutable), - name: calculateName({ updatedName: name, originalName: rule.name }), - schedule: { - interval: calculateInterval(interval, rule.schedule.interval), - }, - actions: rule.actions, - params: nextParams, - }, - }); + + if (enabled != null) { + return { ...update, enabled }; + } else { + return update; + } }; diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/__mocks__/es_results.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/__mocks__/es_results.ts index 6507e6ca73ede..fded0696ff8bf 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/__mocks__/es_results.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/__mocks__/es_results.ts @@ -35,8 +35,6 @@ export const sampleRuleAlertParams = ( meta: undefined, threat: undefined, version: 1, - updatedAt: '2019-12-17T15:04:25.343Z', - createdAt: '2019-12-17T15:04:37.105Z', }); export const sampleDocNoSortId = (someUuid: string = sampleIdGuid): SignalSourceHit => ({ diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_bulk_body.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_bulk_body.test.ts index de11bf6fcc3c1..b71a7080f4147 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_bulk_body.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_bulk_body.test.ts @@ -25,6 +25,8 @@ describe('buildBulkBody', () => { ruleParams: sampleParams, id: sampleRuleGuid, name: 'rule-name', + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: '5m', @@ -103,6 +105,8 @@ describe('buildBulkBody', () => { ruleParams: sampleParams, id: sampleRuleGuid, name: 'rule-name', + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: '5m', @@ -189,6 +193,8 @@ describe('buildBulkBody', () => { ruleParams: sampleParams, id: sampleRuleGuid, name: 'rule-name', + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: '5m', @@ -272,6 +278,8 @@ describe('buildBulkBody', () => { ruleParams: sampleParams, id: sampleRuleGuid, name: 'rule-name', + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: '5m', diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_bulk_body.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_bulk_body.ts index 6d9f442515b2a..e77755073b374 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_bulk_body.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_bulk_body.ts @@ -15,7 +15,9 @@ interface BuildBulkBodyParams { ruleParams: RuleTypeParams; id: string; name: string; + createdAt: string; createdBy: string; + updatedAt: string; updatedBy: string; interval: string; enabled: boolean; @@ -28,7 +30,9 @@ export const buildBulkBody = ({ ruleParams, id, name, + createdAt, createdBy, + updatedAt, updatedBy, interval, enabled, @@ -39,7 +43,9 @@ export const buildBulkBody = ({ id, name, enabled, + createdAt, createdBy, + updatedAt, updatedBy, interval, tags, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_rule.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_rule.test.ts index 451e493f3ed8a..af0883f4ce6b5 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_rule.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_rule.test.ts @@ -31,6 +31,8 @@ describe('buildRule', () => { name: 'some-name', id: sampleRuleGuid, enabled: false, + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: 'some interval', @@ -85,6 +87,8 @@ describe('buildRule', () => { name: 'some-name', id: sampleRuleGuid, enabled: true, + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: 'some interval', @@ -128,6 +132,8 @@ describe('buildRule', () => { name: 'some-name', id: sampleRuleGuid, enabled: true, + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: 'some interval', diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_rule.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_rule.ts index ba1b2f695156b..70465bf1d9201 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_rule.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_rule.ts @@ -12,7 +12,9 @@ interface BuildRuleParams { name: string; id: string; enabled: boolean; + createdAt: string; createdBy: string; + updatedAt: string; updatedBy: string; interval: string; tags: string[]; @@ -23,7 +25,9 @@ export const buildRule = ({ name, id, enabled, + createdAt, createdBy, + updatedAt, updatedBy, interval, tags, @@ -58,7 +62,7 @@ export const buildRule = ({ updated_by: updatedBy, threat: ruleParams.threat, version: ruleParams.version, - created_at: ruleParams.createdAt, - updated_at: ruleParams.updatedAt, + created_at: createdAt, + updated_at: updatedAt, }); }; diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/search_after_bulk_create.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/search_after_bulk_create.test.ts index 0644d5e467a5a..bf7a97a29aef3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/search_after_bulk_create.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/search_after_bulk_create.test.ts @@ -40,6 +40,8 @@ describe('searchAfterAndBulkCreate', () => { id: sampleRuleGuid, signalsIndex: DEFAULT_SIGNALS_INDEX, name: 'rule-name', + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: '5m', @@ -93,6 +95,8 @@ describe('searchAfterAndBulkCreate', () => { id: sampleRuleGuid, signalsIndex: DEFAULT_SIGNALS_INDEX, name: 'rule-name', + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: '5m', @@ -117,6 +121,8 @@ describe('searchAfterAndBulkCreate', () => { id: sampleRuleGuid, signalsIndex: DEFAULT_SIGNALS_INDEX, name: 'rule-name', + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: '5m', @@ -148,6 +154,8 @@ describe('searchAfterAndBulkCreate', () => { id: sampleRuleGuid, signalsIndex: DEFAULT_SIGNALS_INDEX, name: 'rule-name', + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: '5m', @@ -179,6 +187,8 @@ describe('searchAfterAndBulkCreate', () => { id: sampleRuleGuid, signalsIndex: DEFAULT_SIGNALS_INDEX, name: 'rule-name', + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: '5m', @@ -212,6 +222,8 @@ describe('searchAfterAndBulkCreate', () => { id: sampleRuleGuid, signalsIndex: DEFAULT_SIGNALS_INDEX, name: 'rule-name', + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: '5m', @@ -245,6 +257,8 @@ describe('searchAfterAndBulkCreate', () => { id: sampleRuleGuid, signalsIndex: DEFAULT_SIGNALS_INDEX, name: 'rule-name', + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: '5m', @@ -280,6 +294,8 @@ describe('searchAfterAndBulkCreate', () => { id: sampleRuleGuid, signalsIndex: DEFAULT_SIGNALS_INDEX, name: 'rule-name', + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: '5m', diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/search_after_bulk_create.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/search_after_bulk_create.ts index fb314e62ba943..8c8cef5dd3669 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/search_after_bulk_create.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/search_after_bulk_create.ts @@ -19,8 +19,10 @@ interface SearchAfterAndBulkCreateParams { id: string; signalsIndex: string; name: string; + createdAt: string; createdBy: string; updatedBy: string; + updatedAt: string; interval: string; enabled: boolean; pageSize: number; @@ -38,8 +40,10 @@ export const searchAfterAndBulkCreate = async ({ signalsIndex, filter, name, + createdAt, createdBy, updatedBy, + updatedAt, interval, enabled, pageSize, @@ -58,7 +62,9 @@ export const searchAfterAndBulkCreate = async ({ id, signalsIndex, name, + createdAt, createdBy, + updatedAt, updatedBy, interval, enabled, @@ -118,7 +124,9 @@ export const searchAfterAndBulkCreate = async ({ id, signalsIndex, name, + createdAt, createdBy, + updatedAt, updatedBy, interval, enabled, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/signal_rule_alert_type.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/signal_rule_alert_type.ts index 370ed65280849..cd28f348a27c3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/signal_rule_alert_type.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/signal_rule_alert_type.ts @@ -35,7 +35,6 @@ export const signalRulesAlertType = ({ actionGroups: ['default'], validate: { params: schema.object({ - createdAt: schema.string(), description: schema.string(), falsePositives: schema.arrayOf(schema.string(), { defaultValue: [] }), from: schema.string(), @@ -56,7 +55,6 @@ export const signalRulesAlertType = ({ threat: schema.nullable(schema.arrayOf(schema.object({}, { allowUnknowns: true }))), to: schema.string(), type: schema.string(), - updatedAt: schema.string(), references: schema.arrayOf(schema.string(), { defaultValue: [] }), version: schema.number({ defaultValue: 1 }), }), @@ -121,7 +119,9 @@ export const signalRulesAlertType = ({ const tags: string[] = savedObject.attributes.tags; const createdBy: string = savedObject.attributes.createdBy; + const createdAt: string = savedObject.attributes.createdAt; const updatedBy: string = savedObject.attributes.updatedBy; + const updatedAt: string = savedObject.updated_at ?? ''; const interval: string = savedObject.attributes.schedule.interval; const enabled: boolean = savedObject.attributes.enabled; const gap = getGapBetweenRuns({ @@ -210,7 +210,9 @@ export const signalRulesAlertType = ({ filter: esFilter, name, createdBy, + createdAt, updatedBy, + updatedAt, interval, enabled, pageSize: searchAfterSize, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/single_bulk_create.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/single_bulk_create.test.ts index d5f11c91a2b7c..09e2c6b4fd586 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/single_bulk_create.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/single_bulk_create.test.ts @@ -152,6 +152,8 @@ describe('singleBulkCreate', () => { id: sampleRuleGuid, signalsIndex: DEFAULT_SIGNALS_INDEX, name: 'rule-name', + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: '5m', @@ -180,6 +182,8 @@ describe('singleBulkCreate', () => { id: sampleRuleGuid, signalsIndex: DEFAULT_SIGNALS_INDEX, name: 'rule-name', + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: '5m', @@ -200,6 +204,8 @@ describe('singleBulkCreate', () => { id: sampleRuleGuid, signalsIndex: DEFAULT_SIGNALS_INDEX, name: 'rule-name', + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: '5m', @@ -221,6 +227,8 @@ describe('singleBulkCreate', () => { id: sampleRuleGuid, signalsIndex: DEFAULT_SIGNALS_INDEX, name: 'rule-name', + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: '5m', @@ -244,6 +252,8 @@ describe('singleBulkCreate', () => { id: sampleRuleGuid, signalsIndex: DEFAULT_SIGNALS_INDEX, name: 'rule-name', + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: '5m', diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/single_bulk_create.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/single_bulk_create.ts index cb5de4c974927..adc7919a09758 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/single_bulk_create.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/single_bulk_create.ts @@ -21,7 +21,9 @@ interface SingleBulkCreateParams { id: string; signalsIndex: string; name: string; + createdAt: string; createdBy: string; + updatedAt: string; updatedBy: string; interval: string; enabled: boolean; @@ -59,7 +61,9 @@ export const singleBulkCreate = async ({ id, signalsIndex, name, + createdAt, createdBy, + updatedAt, updatedBy, interval, enabled, @@ -91,7 +95,19 @@ export const singleBulkCreate = async ({ ), }, }, - buildBulkBody({ doc, ruleParams, id, name, createdBy, updatedBy, interval, enabled, tags }), + buildBulkBody({ + doc, + ruleParams, + id, + name, + createdAt, + createdBy, + updatedAt, + updatedBy, + interval, + enabled, + tags, + }), ]); const start = performance.now(); const response: BulkResponse = await services.callCluster('bulk', { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/types.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/types.ts index d1c9845dbbcfc..e1069db98c8fc 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/types.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/types.ts @@ -22,7 +22,6 @@ export interface ThreatParams { } export interface RuleAlertParams { - createdAt: string; description: string; enabled: boolean; falsePositives: string[]; @@ -49,7 +48,6 @@ export interface RuleAlertParams { threat: ThreatParams[] | undefined | null; type: 'query' | 'saved_query'; version: number; - updatedAt: string; } export type RuleTypeParams = Omit; @@ -65,8 +63,6 @@ export type RuleAlertParamsRest = Omit< | 'timelineId' | 'timelineTitle' | 'outputIndex' - | 'updatedAt' - | 'createdAt' > & Omit< IRuleStatusAttributes, @@ -86,8 +82,8 @@ export type RuleAlertParamsRest = Omit< max_signals: RuleAlertParams['maxSignals']; risk_score: RuleAlertParams['riskScore']; output_index: RuleAlertParams['outputIndex']; - created_at: RuleAlertParams['createdAt']; - updated_at: RuleAlertParams['updatedAt']; + created_at: string; + updated_at: string; status?: IRuleStatusAttributes['status'] | undefined; status_date?: IRuleStatusAttributes['statusDate'] | undefined; last_failure_at?: IRuleStatusAttributes['lastFailureAt'] | undefined; diff --git a/x-pack/legacy/plugins/siem/server/lib/ecs_fields/index.ts b/x-pack/legacy/plugins/siem/server/lib/ecs_fields/index.ts index f85fb2c9fd753..eb483de000915 100644 --- a/x-pack/legacy/plugins/siem/server/lib/ecs_fields/index.ts +++ b/x-pack/legacy/plugins/siem/server/lib/ecs_fields/index.ts @@ -318,6 +318,10 @@ export const signalFieldsMap: Readonly> = { 'signal.rule.version': 'signal.rule.version', }; +export const ruleFieldsMap: Readonly> = { + 'rule.reference': 'rule.reference', +}; + export const eventFieldsMap: Readonly> = { timestamp: '@timestamp', '@timestamp': '@timestamp', @@ -331,6 +335,7 @@ export const eventFieldsMap: Readonly> = { ...{ ...geoFieldsMap }, ...{ ...hostFieldsMap }, ...{ ...networkFieldsMap }, + ...{ ...ruleFieldsMap }, ...{ ...signalFieldsMap }, ...{ ...sourceFieldsMap }, ...{ ...suricataFieldsMap }, diff --git a/x-pack/legacy/plugins/triggers_actions_ui/index.ts b/x-pack/legacy/plugins/triggers_actions_ui/index.ts index c6ac3649a1477..19930363d30bf 100644 --- a/x-pack/legacy/plugins/triggers_actions_ui/index.ts +++ b/x-pack/legacy/plugins/triggers_actions_ui/index.ts @@ -29,7 +29,6 @@ export function triggersActionsUI(kibana: any) { .default(); }, uiExports: { - home: ['plugins/triggers_actions_ui/hacks/register'], managementSections: ['plugins/triggers_actions_ui/legacy'], styleSheetPaths: resolve(__dirname, 'public/index.scss'), injectDefaultVars(server: Legacy.Server) { diff --git a/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/app.tsx b/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/app.tsx index b7fab1b5647a4..7d9a963c9c6b3 100644 --- a/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/app.tsx +++ b/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/app.tsx @@ -11,6 +11,7 @@ import { ToastsSetup, HttpSetup, IUiSettingsClient, + ApplicationStart, } from 'kibana/public'; import { BASE_PATH, Section, routeToAlertDetails } from './constants'; import { TriggersActionsUIHome } from './home'; @@ -28,6 +29,7 @@ export interface AppDeps { http: HttpSetup; uiSettings: IUiSettingsClient; legacy: LegacyDependencies; + capabilities: ApplicationStart['capabilities']; actionTypeRegistry: TypeRegistry; alertTypeRegistry: TypeRegistry; } @@ -47,10 +49,8 @@ export const App = (appDeps: AppDeps) => { }; export const AppWithoutRouter = ({ sectionsRegex }: any) => { - const { - legacy: { capabilities }, - } = useAppDependencies(); - const canShowAlerts = hasShowAlertsCapability(capabilities.get()); + const { capabilities } = useAppDependencies(); + const canShowAlerts = hasShowAlertsCapability(capabilities); const DEFAULT_SECTION: Section = canShowAlerts ? 'alerts' : 'connectors'; return ( diff --git a/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/home.tsx b/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/home.tsx index 3312f1a103b29..5d518bce569e4 100644 --- a/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/home.tsx +++ b/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/home.tsx @@ -39,11 +39,12 @@ export const TriggersActionsUIHome: React.FunctionComponent { const { chrome, - legacy: { MANAGEMENT_BREADCRUMB, capabilities }, + capabilities, + legacy: { MANAGEMENT_BREADCRUMB }, } = useAppDependencies(); - const canShowActions = hasShowActionsCapability(capabilities.get()); - const canShowAlerts = hasShowAlertsCapability(capabilities.get()); + const canShowActions = hasShowActionsCapability(capabilities); + const canShowAlerts = hasShowAlertsCapability(capabilities); const tabs: Array<{ id: Section; name: React.ReactNode; diff --git a/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/action_connector_form/action_connector_form.test.tsx b/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/action_connector_form/action_connector_form.test.tsx index ea3ffb15cff45..f27f7d8c3054d 100644 --- a/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/action_connector_form/action_connector_form.test.tsx +++ b/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/action_connector_form/action_connector_form.test.tsx @@ -20,7 +20,13 @@ describe('action_connector_form', () => { beforeAll(async () => { const mockes = coreMock.createSetup(); - const [{ chrome, docLinks }] = await mockes.getStartServices(); + const [ + { + chrome, + docLinks, + application: { capabilities }, + }, + ] = await mockes.getStartServices(); const deps = { chrome, docLinks, @@ -28,18 +34,15 @@ describe('action_connector_form', () => { injectedMetadata: mockes.injectedMetadata, http: mockes.http, uiSettings: mockes.uiSettings, + capabilities: { + ...capabilities, + actions: { + delete: true, + save: true, + show: true, + }, + }, legacy: { - capabilities: { - get() { - return { - actions: { - delete: true, - save: true, - show: true, - }, - }; - }, - } as any, MANAGEMENT_BREADCRUMB: { set: () => {} } as any, }, actionTypeRegistry: actionTypeRegistry as any, diff --git a/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/action_connector_form/action_connector_form.tsx b/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/action_connector_form/action_connector_form.tsx index 682c1fbb54b67..852e713b38ed7 100644 --- a/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/action_connector_form/action_connector_form.tsx +++ b/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/action_connector_form/action_connector_form.tsx @@ -39,15 +39,10 @@ export const ActionConnectorForm = ({ actionTypeName, setFlyoutVisibility, }: ActionConnectorProps) => { - const { - http, - toastNotifications, - legacy: { capabilities }, - actionTypeRegistry, - } = useAppDependencies(); + const { http, toastNotifications, capabilities, actionTypeRegistry } = useAppDependencies(); const { reloadConnectors } = useActionsConnectorsContext(); - const canSave = hasSaveActionsCapability(capabilities.get()); + const canSave = hasSaveActionsCapability(capabilities); // hooks const [{ connector }, dispatch] = useReducer(connectorReducer, { connector: initialConnector }); diff --git a/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/action_connector_form/action_type_menu.test.tsx b/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/action_connector_form/action_type_menu.test.tsx index 9cf710d31f194..6d98a5e3d120f 100644 --- a/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/action_connector_form/action_type_menu.test.tsx +++ b/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/action_connector_form/action_type_menu.test.tsx @@ -18,7 +18,13 @@ describe('connector_add_flyout', () => { beforeAll(async () => { const mockes = coreMock.createSetup(); - const [{ chrome, docLinks }] = await mockes.getStartServices(); + const [ + { + chrome, + docLinks, + application: { capabilities }, + }, + ] = await mockes.getStartServices(); deps = { chrome, docLinks, @@ -26,18 +32,15 @@ describe('connector_add_flyout', () => { injectedMetadata: mockes.injectedMetadata, http: mockes.http, uiSettings: mockes.uiSettings, + capabilities: { + ...capabilities, + actions: { + delete: true, + save: true, + show: true, + }, + }, legacy: { - capabilities: { - get() { - return { - actions: { - delete: true, - save: true, - show: true, - }, - }; - }, - } as any, MANAGEMENT_BREADCRUMB: { set: () => {} } as any, }, actionTypeRegistry: actionTypeRegistry as any, diff --git a/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/action_connector_form/connector_add_flyout.test.tsx b/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/action_connector_form/connector_add_flyout.test.tsx index 60c07c00c2af8..a03296c7c3679 100644 --- a/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/action_connector_form/connector_add_flyout.test.tsx +++ b/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/action_connector_form/connector_add_flyout.test.tsx @@ -20,7 +20,13 @@ describe('connector_add_flyout', () => { beforeAll(async () => { const mockes = coreMock.createSetup(); - const [{ chrome, docLinks }] = await mockes.getStartServices(); + const [ + { + chrome, + docLinks, + application: { capabilities }, + }, + ] = await mockes.getStartServices(); const deps = { chrome, docLinks, @@ -28,18 +34,15 @@ describe('connector_add_flyout', () => { injectedMetadata: mockes.injectedMetadata, http: mockes.http, uiSettings: mockes.uiSettings, + capabilities: { + ...capabilities, + actions: { + delete: true, + save: true, + show: true, + }, + }, legacy: { - capabilities: { - get() { - return { - actions: { - delete: true, - save: true, - show: true, - }, - }; - }, - } as any, MANAGEMENT_BREADCRUMB: { set: () => {} } as any, }, actionTypeRegistry: actionTypeRegistry as any, diff --git a/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/action_connector_form/connector_edit_flyout.test.tsx b/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/action_connector_form/connector_edit_flyout.test.tsx index a2b57ed8a8b25..0dc38523bfab8 100644 --- a/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/action_connector_form/connector_edit_flyout.test.tsx +++ b/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/action_connector_form/connector_edit_flyout.test.tsx @@ -17,7 +17,13 @@ let deps: any; describe('connector_edit_flyout', () => { beforeAll(async () => { const mockes = coreMock.createSetup(); - const [{ chrome, docLinks }] = await mockes.getStartServices(); + const [ + { + chrome, + docLinks, + application: { capabilities }, + }, + ] = await mockes.getStartServices(); deps = { chrome, docLinks, @@ -25,18 +31,15 @@ describe('connector_edit_flyout', () => { injectedMetadata: mockes.injectedMetadata, http: mockes.http, uiSettings: mockes.uiSettings, + capabilities: { + ...capabilities, + actions: { + delete: true, + save: true, + show: true, + }, + }, legacy: { - capabilities: { - get() { - return { - actions: { - delete: true, - save: true, - show: true, - }, - }; - }, - } as any, MANAGEMENT_BREADCRUMB: { set: () => {} } as any, }, actionTypeRegistry: actionTypeRegistry as any, diff --git a/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/actions_connectors_list/components/actions_connectors_list.test.tsx b/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/actions_connectors_list/components/actions_connectors_list.test.tsx index 511deb8cf3b0d..da502fb86521b 100644 --- a/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/actions_connectors_list/components/actions_connectors_list.test.tsx +++ b/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/actions_connectors_list/components/actions_connectors_list.test.tsx @@ -42,7 +42,13 @@ describe('actions_connectors_list component empty', () => { }, ]); const mockes = coreMock.createSetup(); - const [{ chrome, docLinks }] = await mockes.getStartServices(); + const [ + { + chrome, + docLinks, + application: { capabilities }, + }, + ] = await mockes.getStartServices(); const deps = { chrome, docLinks, @@ -50,18 +56,15 @@ describe('actions_connectors_list component empty', () => { injectedMetadata: mockes.injectedMetadata, http: mockes.http, uiSettings: mockes.uiSettings, + capabilities: { + ...capabilities, + siem: { + 'actions:show': true, + 'actions:save': true, + 'actions:delete': true, + }, + }, legacy: { - capabilities: { - get() { - return { - siem: { - 'actions:show': true, - 'actions:save': true, - 'actions:delete': true, - }, - }; - }, - } as any, MANAGEMENT_BREADCRUMB: { set: () => {} } as any, }, actionTypeRegistry: actionTypeRegistry as any, @@ -136,7 +139,13 @@ describe('actions_connectors_list component with items', () => { ]); const mockes = coreMock.createSetup(); - const [{ chrome, docLinks }] = await mockes.getStartServices(); + const [ + { + chrome, + docLinks, + application: { capabilities }, + }, + ] = await mockes.getStartServices(); const deps = { chrome, docLinks, @@ -144,18 +153,15 @@ describe('actions_connectors_list component with items', () => { injectedMetadata: mockes.injectedMetadata, http: mockes.http, uiSettings: mockes.uiSettings, + capabilities: { + ...capabilities, + siem: { + 'actions:show': true, + 'actions:save': true, + 'actions:delete': true, + }, + }, legacy: { - capabilities: { - get() { - return { - siem: { - 'actions:show': true, - 'actions:save': true, - 'actions:delete': true, - }, - }; - }, - } as any, MANAGEMENT_BREADCRUMB: { set: () => {} } as any, }, actionTypeRegistry: { @@ -217,7 +223,13 @@ describe('actions_connectors_list component empty with show only capability', () }, ]); const mockes = coreMock.createSetup(); - const [{ chrome, docLinks }] = await mockes.getStartServices(); + const [ + { + chrome, + docLinks, + application: { capabilities }, + }, + ] = await mockes.getStartServices(); const deps = { chrome, docLinks, @@ -225,18 +237,15 @@ describe('actions_connectors_list component empty with show only capability', () injectedMetadata: mockes.injectedMetadata, http: mockes.http, uiSettings: mockes.uiSettings, + capabilities: { + ...capabilities, + siem: { + 'actions:show': true, + 'actions:save': false, + 'actions:delete': false, + }, + }, legacy: { - capabilities: { - get() { - return { - siem: { - 'actions:show': true, - 'actions:save': false, - 'actions:delete': false, - }, - }; - }, - } as any, MANAGEMENT_BREADCRUMB: { set: () => {} } as any, }, actionTypeRegistry: { @@ -303,7 +312,13 @@ describe('actions_connectors_list with show only capability', () => { }, ]); const mockes = coreMock.createSetup(); - const [{ chrome, docLinks }] = await mockes.getStartServices(); + const [ + { + chrome, + docLinks, + application: { capabilities }, + }, + ] = await mockes.getStartServices(); const deps = { chrome, docLinks, @@ -311,18 +326,15 @@ describe('actions_connectors_list with show only capability', () => { injectedMetadata: mockes.injectedMetadata, http: mockes.http, uiSettings: mockes.uiSettings, + capabilities: { + ...capabilities, + siem: { + 'actions:show': true, + 'actions:save': false, + 'actions:delete': false, + }, + }, legacy: { - capabilities: { - get() { - return { - siem: { - 'actions:show': true, - 'actions:save': false, - 'actions:delete': false, - }, - }; - }, - } as any, MANAGEMENT_BREADCRUMB: { set: () => {} } as any, }, actionTypeRegistry: { diff --git a/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/actions_connectors_list/components/actions_connectors_list.tsx b/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/actions_connectors_list/components/actions_connectors_list.tsx index 1990ffefdf84e..e98c3b2c08749 100644 --- a/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/actions_connectors_list/components/actions_connectors_list.tsx +++ b/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/actions_connectors_list/components/actions_connectors_list.tsx @@ -26,13 +26,9 @@ import { hasDeleteActionsCapability, hasSaveActionsCapability } from '../../../l import { DeleteConnectorsModal } from '../../../components/delete_connectors_modal'; export const ActionsConnectorsList: React.FunctionComponent = () => { - const { - http, - toastNotifications, - legacy: { capabilities }, - } = useAppDependencies(); - const canDelete = hasDeleteActionsCapability(capabilities.get()); - const canSave = hasSaveActionsCapability(capabilities.get()); + const { http, toastNotifications, capabilities } = useAppDependencies(); + const canDelete = hasDeleteActionsCapability(capabilities); + const canSave = hasSaveActionsCapability(capabilities); const [actionTypesIndex, setActionTypesIndex] = useState(undefined); const [actions, setActions] = useState([]); diff --git a/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/alerts_list/components/alerts_list.test.tsx b/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/alerts_list/components/alerts_list.test.tsx index 34461c3d97e09..f410fff44172f 100644 --- a/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/alerts_list/components/alerts_list.test.tsx +++ b/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/alerts_list/components/alerts_list.test.tsx @@ -77,7 +77,13 @@ describe('alerts_list component empty', () => { }); const mockes = coreMock.createSetup(); - const [{ chrome, docLinks }] = await mockes.getStartServices(); + const [ + { + chrome, + docLinks, + application: { capabilities }, + }, + ] = await mockes.getStartServices(); const deps = { chrome, docLinks, @@ -91,18 +97,15 @@ describe('alerts_list component empty', () => { } as any, http: mockes.http, uiSettings: mockes.uiSettings, + capabilities: { + ...capabilities, + siem: { + 'alerting:show': true, + 'alerting:save': true, + 'alerting:delete': true, + }, + }, legacy: { - capabilities: { - get() { - return { - siem: { - 'alerting:show': true, - 'alerting:save': true, - 'alerting:delete': true, - }, - }; - }, - } as any, MANAGEMENT_BREADCRUMB: { set: () => {} } as any, }, actionTypeRegistry: actionTypeRegistry as any, @@ -200,7 +203,13 @@ describe('alerts_list component with items', () => { data: [], }); const mockes = coreMock.createSetup(); - const [{ chrome, docLinks }] = await mockes.getStartServices(); + const [ + { + chrome, + docLinks, + application: { capabilities }, + }, + ] = await mockes.getStartServices(); const deps = { chrome, docLinks, @@ -214,18 +223,15 @@ describe('alerts_list component with items', () => { } as any, http: mockes.http, uiSettings: mockes.uiSettings, + capabilities: { + ...capabilities, + siem: { + 'alerting:show': true, + 'alerting:save': true, + 'alerting:delete': true, + }, + }, legacy: { - capabilities: { - get() { - return { - siem: { - 'alerting:show': true, - 'alerting:save': true, - 'alerting:delete': true, - }, - }; - }, - } as any, MANAGEMENT_BREADCRUMB: { set: () => {} } as any, }, actionTypeRegistry: actionTypeRegistry as any, @@ -284,7 +290,13 @@ describe('alerts_list component empty with show only capability', () => { data: [], }); const mockes = coreMock.createSetup(); - const [{ chrome, docLinks }] = await mockes.getStartServices(); + const [ + { + chrome, + docLinks, + application: { capabilities }, + }, + ] = await mockes.getStartServices(); const deps = { chrome, docLinks, @@ -298,18 +310,15 @@ describe('alerts_list component empty with show only capability', () => { } as any, http: mockes.http, uiSettings: mockes.uiSettings, + capabilities: { + ...capabilities, + siem: { + 'alerting:show': true, + 'alerting:save': false, + 'alerting:delete': false, + }, + }, legacy: { - capabilities: { - get() { - return { - siem: { - 'alerting:show': true, - 'alerting:save': false, - 'alerting:delete': false, - }, - }; - }, - } as any, MANAGEMENT_BREADCRUMB: { set: () => {} } as any, }, actionTypeRegistry: { @@ -403,7 +412,13 @@ describe('alerts_list with show only capability', () => { data: [], }); const mockes = coreMock.createSetup(); - const [{ chrome, docLinks }] = await mockes.getStartServices(); + const [ + { + chrome, + docLinks, + application: { capabilities }, + }, + ] = await mockes.getStartServices(); const deps = { chrome, docLinks, @@ -417,18 +432,15 @@ describe('alerts_list with show only capability', () => { } as any, http: mockes.http, uiSettings: mockes.uiSettings, + capabilities: { + ...capabilities, + siem: { + 'alerting:show': true, + 'alerting:save': false, + 'alerting:delete': false, + }, + }, legacy: { - capabilities: { - get() { - return { - siem: { - 'alerting:show': true, - 'alerting:save': false, - 'alerting:delete': false, - }, - }; - }, - } as any, MANAGEMENT_BREADCRUMB: { set: () => {} } as any, }, actionTypeRegistry: actionTypeRegistry as any, diff --git a/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/alerts_list/components/alerts_list.tsx b/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/alerts_list/components/alerts_list.tsx index 6ae1766eb8b3d..32de924f63e80 100644 --- a/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/alerts_list/components/alerts_list.tsx +++ b/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/alerts_list/components/alerts_list.tsx @@ -47,15 +47,10 @@ interface AlertState { } export const AlertsList: React.FunctionComponent = () => { - const { - http, - injectedMetadata, - toastNotifications, - legacy: { capabilities }, - } = useAppDependencies(); const history = useHistory(); - const canDelete = hasDeleteAlertsCapability(capabilities.get()); - const canSave = hasSaveAlertsCapability(capabilities.get()); + const { http, injectedMetadata, toastNotifications, capabilities } = useAppDependencies(); + const canDelete = hasDeleteAlertsCapability(capabilities); + const canSave = hasSaveAlertsCapability(capabilities); const createAlertUiEnabled = injectedMetadata.getInjectedVar('createAlertUiEnabled'); const [actionTypes, setActionTypes] = useState([]); diff --git a/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/alerts_list/components/collapsed_item_actions.tsx b/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/alerts_list/components/collapsed_item_actions.tsx index cb19d0398f0e1..2bac159ed79ed 100644 --- a/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/alerts_list/components/collapsed_item_actions.tsx +++ b/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/application/sections/alerts_list/components/collapsed_item_actions.tsx @@ -38,12 +38,10 @@ export const CollapsedItemActions: React.FunctionComponent = ({ muteAlert, deleteAlert, }: ComponentOpts) => { - const { - legacy: { capabilities }, - } = useAppDependencies(); + const { capabilities } = useAppDependencies(); - const canDelete = hasDeleteAlertsCapability(capabilities.get()); - const canSave = hasSaveAlertsCapability(capabilities.get()); + const canDelete = hasDeleteAlertsCapability(capabilities); + const canSave = hasSaveAlertsCapability(capabilities); const [isPopoverOpen, setIsPopoverOpen] = useState(false); diff --git a/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/plugin.ts b/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/plugin.ts index 0b0f8a4ee6790..00dd2f51feaee 100644 --- a/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/plugin.ts +++ b/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/plugin.ts @@ -42,12 +42,6 @@ export class Plugin implements CorePlugin { { application, notifications, http, uiSettings, injectedMetadata }: CoreSetup, { __LEGACY }: LegacyPlugins ): Setup { - const canShowActions = hasShowActionsCapability(__LEGACY.capabilities.get()); - const canShowAlerts = hasShowAlertsCapability(__LEGACY.capabilities.get()); - - if (!canShowActions && !canShowAlerts) { - return; - } registerBuiltInActionTypes({ actionTypeRegistry: this.actionTypeRegistry, }); @@ -61,6 +55,7 @@ export class Plugin implements CorePlugin { mount: async ( { core: { + application: applicationStart, docLinks, chrome, // Waiting for types to be updated. @@ -71,6 +66,16 @@ export class Plugin implements CorePlugin { }, { element } ) => { + const { capabilities } = applicationStart; + + const canShowActions = hasShowActionsCapability(capabilities); + const canShowAlerts = hasShowAlertsCapability(capabilities); + + if (!canShowActions && !canShowAlerts) { + // Render nothing + return () => {}; + } + const { boot } = await import('./application/boot'); return boot({ element, @@ -85,6 +90,7 @@ export class Plugin implements CorePlugin { legacy: { ...__LEGACY, }, + capabilities, actionTypeRegistry: this.actionTypeRegistry, alertTypeRegistry: this.alertTypeRegistry, }); @@ -93,9 +99,10 @@ export class Plugin implements CorePlugin { } public start(core: CoreStart, { __LEGACY }: LegacyPlugins) { - const { capabilities } = __LEGACY; - const canShowActions = hasShowActionsCapability(capabilities.get()); - const canShowAlerts = hasShowAlertsCapability(capabilities.get()); + const { capabilities } = core.application; + + const canShowActions = hasShowActionsCapability(capabilities); + const canShowAlerts = hasShowAlertsCapability(capabilities); // Don't register routes when user doesn't have access to the application if (!canShowActions && !canShowAlerts) { diff --git a/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/types.ts b/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/types.ts index c9f1c71199557..99e18d7893db5 100644 --- a/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/types.ts +++ b/x-pack/legacy/plugins/triggers_actions_ui/np_ready/public/types.ts @@ -3,7 +3,6 @@ * or more contributor license agreements. Licensed under the Elastic License; * you may not use this file except in compliance with the Elastic License. */ -import { capabilities } from 'ui/capabilities'; import { TypeRegistry } from './application/type_registry'; import { SanitizedAlert as Alert } from '../../../alerting/common'; export { SanitizedAlert as Alert, AlertAction } from '../../../alerting/common'; @@ -92,5 +91,4 @@ export interface IErrorObject { export interface LegacyDependencies { MANAGEMENT_BREADCRUMB: { text: string; href?: string }; - capabilities: typeof capabilities; } diff --git a/x-pack/legacy/plugins/triggers_actions_ui/public/hacks/register.ts b/x-pack/legacy/plugins/triggers_actions_ui/public/hacks/register.ts deleted file mode 100644 index 7991604fcc667..0000000000000 --- a/x-pack/legacy/plugins/triggers_actions_ui/public/hacks/register.ts +++ /dev/null @@ -1,25 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { i18n } from '@kbn/i18n'; -import { - FeatureCatalogueRegistryProvider, - FeatureCatalogueCategory, -} from 'ui/registry/feature_catalogue'; - -FeatureCatalogueRegistryProvider.register(() => { - return { - id: 'triggersActions', - title: 'Alerts and Actions', // This is a product name so we don't translate it. - description: i18n.translate('xpack.triggersActionsUI.triggersActionsDescription', { - defaultMessage: 'Data by creating, managing, and monitoring triggers and actions.', - }), - icon: 'triggersActionsApp', - path: '/app/kibana#/management/kibana/triggersActions', - showOnHomePage: true, - category: FeatureCatalogueCategory.ADMIN, - }; -}); diff --git a/x-pack/legacy/plugins/triggers_actions_ui/public/legacy.ts b/x-pack/legacy/plugins/triggers_actions_ui/public/legacy.ts index bae9104081267..95cac99630fb4 100644 --- a/x-pack/legacy/plugins/triggers_actions_ui/public/legacy.ts +++ b/x-pack/legacy/plugins/triggers_actions_ui/public/legacy.ts @@ -67,7 +67,6 @@ routes.when(`${BASE_PATH}:section?/:subsection?/:view?/:id?`, { ...(npSetup.plugins as typeof npSetup.plugins), __LEGACY: { MANAGEMENT_BREADCRUMB, - capabilities, }, }); @@ -75,7 +74,6 @@ routes.when(`${BASE_PATH}:section?/:subsection?/:view?/:id?`, { ...(npSetup.plugins as typeof npSetup.plugins), __LEGACY: { MANAGEMENT_BREADCRUMB, - capabilities, }, }); diff --git a/x-pack/plugins/endpoint/common/types.ts b/x-pack/plugins/endpoint/common/types.ts index 1a1402671aa01..5e69aa0d18b68 100644 --- a/x-pack/plugins/endpoint/common/types.ts +++ b/x-pack/plugins/endpoint/common/types.ts @@ -4,6 +4,24 @@ * you may not use this file except in compliance with the Elastic License. */ +/** + * A deep readonly type that will make all children of a given object readonly recursively + */ +export type Immutable = T extends undefined | null | boolean | string | number + ? T + : T extends Array + ? ImmutableArray + : T extends Map + ? ImmutableMap + : T extends Set + ? ImmutableSet + : ImmutableObject; + +export type ImmutableArray = ReadonlyArray>; +export type ImmutableMap = ReadonlyMap, Immutable>; +export type ImmutableSet = ReadonlySet>; +export type ImmutableObject = { readonly [K in keyof T]: Immutable }; + export class EndpointAppConstants { static ENDPOINT_INDEX_NAME = 'endpoint-agent*'; } @@ -44,3 +62,37 @@ export interface EndpointMetadata { }; }; } + +export interface AlertData { + value: { + source: { + endgame: { + data: { + file_operation: string; + malware_classification: { + score: number; + }; + }; + metadata: { + key: string; + }; + timestamp_utc: Date; + }; + labels: { + endpoint_id: string; + }; + host: { + hostname: string; + ip: string; + os: { + name: string; + }; + }; + }; + }; +} + +/** + * The PageId type is used for the payload when firing userNavigatedToPage actions + */ +export type PageId = 'alertsPage' | 'endpointListPage'; diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/index.tsx b/x-pack/plugins/endpoint/public/applications/endpoint/index.tsx index 7598141bdea65..9bea41126d296 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/index.tsx +++ b/x-pack/plugins/endpoint/public/applications/endpoint/index.tsx @@ -12,6 +12,7 @@ import { Route, BrowserRouter, Switch } from 'react-router-dom'; import { Provider } from 'react-redux'; import { Store } from 'redux'; import { appStoreFactory } from './store'; +import { AlertIndex } from './view/alerts'; /** * This module will be loaded asynchronously to reduce the bundle size of your plugin's main bundle. @@ -64,6 +65,7 @@ const AppRoot: React.FunctionComponent = React.memo(({ basename, st ); }} /> + ( diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/lib/saga.ts b/x-pack/plugins/endpoint/public/applications/endpoint/lib/saga.ts index bca6aa6563fe5..2a79827847f2e 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/lib/saga.ts +++ b/x-pack/plugins/endpoint/public/applications/endpoint/lib/saga.ts @@ -5,7 +5,7 @@ */ import { AnyAction, Dispatch, Middleware, MiddlewareAPI } from 'redux'; -import { GlobalState } from '../store'; +import { GlobalState } from '../types'; interface QueuedAction { /** diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/action.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/action.ts new file mode 100644 index 0000000000000..593041af75c05 --- /dev/null +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/action.ts @@ -0,0 +1,11 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { EndpointListAction } from './endpoint_list'; +import { AlertAction } from './alerts'; +import { RoutingAction } from './routing'; + +export type AppAction = EndpointListAction | AlertAction | RoutingAction; diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/action.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/action.ts new file mode 100644 index 0000000000000..431b0d8d6fcf8 --- /dev/null +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/action.ts @@ -0,0 +1,14 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { AlertData, Immutable } from '../../../../../common/types'; + +type ServerReturnedAlertsData = Immutable<{ + type: 'serverReturnedAlertsData'; + payload: AlertData[]; +}>; + +export type AlertAction = ServerReturnedAlertsData; diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/index.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/index.ts new file mode 100644 index 0000000000000..5545218d9abd6 --- /dev/null +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/index.ts @@ -0,0 +1,8 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +export { alertListReducer } from './reducer'; +export { AlertAction } from './action'; diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/middleware.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/middleware.ts new file mode 100644 index 0000000000000..00ba8eddf9e67 --- /dev/null +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/middleware.ts @@ -0,0 +1,19 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { AlertData, ImmutableArray } from '../../../../../common/types'; +import { AppAction } from '../action'; +import { MiddlewareFactory } from '../../types'; + +export const alertMiddlewareFactory: MiddlewareFactory = coreStart => { + return api => next => async (action: AppAction) => { + next(action); + if (action.type === 'userNavigatedToPage' && action.payload === 'alertsPage') { + const response: ImmutableArray = await coreStart.http.get('/api/endpoint/alerts'); + api.dispatch({ type: 'serverReturnedAlertsData', payload: response }); + } + }; +}; diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/reducer.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/reducer.ts new file mode 100644 index 0000000000000..4ad815ee10b23 --- /dev/null +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/reducer.ts @@ -0,0 +1,29 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { Reducer } from 'redux'; +import { AlertListState } from '../../types'; +import { AppAction } from '../action'; + +const initialState = (): AlertListState => { + return { + alerts: [], + }; +}; + +export const alertListReducer: Reducer = ( + state = initialState(), + action +) => { + if (action.type === 'serverReturnedAlertsData') { + return { + ...state, + alerts: action.payload, + }; + } + + return state; +}; diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/selectors.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/selectors.ts new file mode 100644 index 0000000000000..51903a0a641e8 --- /dev/null +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/alerts/selectors.ts @@ -0,0 +1,9 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { AlertListState } from '../../types'; + +export const alertListData = (state: AlertListState) => state.alerts; diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/endpoint_list/reducer.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/endpoint_list/reducer.ts index 9813777c988ef..e57d9683e4707 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/store/endpoint_list/reducer.ts +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/endpoint_list/reducer.ts @@ -4,8 +4,9 @@ * you may not use this file except in compliance with the Elastic License. */ +import { Reducer } from 'redux'; import { EndpointListState } from './types'; -import { EndpointListAction } from './action'; +import { AppAction } from '../action'; const initialState = (): EndpointListState => { return { @@ -16,7 +17,10 @@ const initialState = (): EndpointListState => { }; }; -export const endpointListReducer = (state = initialState(), action: EndpointListAction) => { +export const endpointListReducer: Reducer = ( + state = initialState(), + action +) => { if (action.type === 'serverReturnedEndpointList') { return { ...state, diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/index.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/index.ts index bfa1385b9f0ac..a32f310392ca9 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/store/index.ts +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/index.ts @@ -8,8 +8,7 @@ import { createStore, compose, applyMiddleware, Store } from 'redux'; import { CoreStart } from 'kibana/public'; import { appSagaFactory } from './saga'; import { appReducer } from './reducer'; - -export { GlobalState } from './reducer'; +import { alertMiddlewareFactory } from './alerts/middleware'; const composeWithReduxDevTools = (window as any).__REDUX_DEVTOOLS_EXTENSION_COMPOSE__ ? (window as any).__REDUX_DEVTOOLS_EXTENSION_COMPOSE__({ name: 'EndpointApp' }) @@ -19,7 +18,9 @@ export const appStoreFactory = (coreStart: CoreStart): [Store, () => void] => { const sagaReduxMiddleware = appSagaFactory(coreStart); const store = createStore( appReducer, - composeWithReduxDevTools(applyMiddleware(sagaReduxMiddleware)) + composeWithReduxDevTools( + applyMiddleware(alertMiddlewareFactory(coreStart), appSagaFactory(coreStart)) + ) ); sagaReduxMiddleware.start(); diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/reducer.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/reducer.ts index 59ca4de91ac83..a9cf6d9980519 100644 --- a/x-pack/plugins/endpoint/public/applications/endpoint/store/reducer.ts +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/reducer.ts @@ -4,13 +4,12 @@ * you may not use this file except in compliance with the Elastic License. */ import { combineReducers, Reducer } from 'redux'; -import { endpointListReducer, EndpointListState } from './endpoint_list'; -import { AppAction } from './actions'; - -export interface GlobalState { - endpointList: EndpointListState; -} +import { endpointListReducer } from './endpoint_list'; +import { AppAction } from './action'; +import { alertListReducer } from './alerts'; +import { GlobalState } from '../types'; export const appReducer: Reducer = combineReducers({ endpointList: endpointListReducer, + alertList: alertListReducer, }); diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/routing/action.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/routing/action.ts new file mode 100644 index 0000000000000..263a3f72d57d5 --- /dev/null +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/routing/action.ts @@ -0,0 +1,14 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { PageId } from '../../../../../common/types'; + +interface UserNavigatedToPage { + readonly type: 'userNavigatedToPage'; + readonly payload: PageId; +} + +export type RoutingAction = UserNavigatedToPage; diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/routing/index.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/routing/index.ts new file mode 100644 index 0000000000000..68fd04d6a8355 --- /dev/null +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/routing/index.ts @@ -0,0 +1,7 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +export { RoutingAction } from './action'; diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/store/selectors.ts b/x-pack/plugins/endpoint/public/applications/endpoint/store/selectors.ts new file mode 100644 index 0000000000000..2766707271cde --- /dev/null +++ b/x-pack/plugins/endpoint/public/applications/endpoint/store/selectors.ts @@ -0,0 +1,31 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { GlobalState } from '../types'; +import * as alertListSelectors from './alerts/selectors'; + +export const alertListData = composeSelectors( + alertListStateSelector, + alertListSelectors.alertListData +); + +/** + * Returns the alert list state from within Global State + */ +function alertListStateSelector(state: GlobalState) { + return state.alertList; +} + +/** + * Calls the `secondSelector` with the result of the `selector`. Use this when re-exporting a + * concern-specific selector. `selector` should return the concern-specific state. + */ +function composeSelectors( + selector: (state: OuterState) => InnerState, + secondSelector: (state: InnerState) => ReturnValue +): (state: OuterState) => ReturnValue { + return state => secondSelector(selector(state)); +} diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/types.ts b/x-pack/plugins/endpoint/public/applications/endpoint/types.ts new file mode 100644 index 0000000000000..525983c9f8523 --- /dev/null +++ b/x-pack/plugins/endpoint/public/applications/endpoint/types.ts @@ -0,0 +1,26 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { Dispatch, MiddlewareAPI } from 'redux'; +import { CoreStart } from 'kibana/public'; +import { Immutable, AlertData } from '../../../common/types'; +import { EndpointListState } from './store/endpoint_list'; +import { AppAction } from './store/action'; + +export type MiddlewareFactory = ( + coreStart: CoreStart +) => ( + api: MiddlewareAPI, GlobalState> +) => (next: Dispatch) => (action: AppAction) => unknown; + +export type AlertListState = Immutable<{ + alerts: AlertData[]; +}>; + +export interface GlobalState { + readonly endpointList: EndpointListState; + readonly alertList: AlertListState; +} diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/view/alerts/index.tsx b/x-pack/plugins/endpoint/public/applications/endpoint/view/alerts/index.tsx new file mode 100644 index 0000000000000..dcb324e3597c2 --- /dev/null +++ b/x-pack/plugins/endpoint/public/applications/endpoint/view/alerts/index.tsx @@ -0,0 +1,80 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { memo, useState, useMemo } from 'react'; +import React from 'react'; +import { EuiDataGrid } from '@elastic/eui'; +import { useSelector } from 'react-redux'; +import * as selectors from '../../store/selectors'; +import { usePageId } from '../use_page_id'; + +export const AlertIndex = memo(() => { + usePageId('alertsPage'); + + const columns: Array<{ id: string }> = useMemo(() => { + return [ + { id: 'alert_type' }, + { id: 'event_type' }, + { id: 'os' }, + { id: 'ip_address' }, + { id: 'host_name' }, + { id: 'timestamp' }, + { id: 'archived' }, + { id: 'malware_score' }, + ]; + }, []); + + const [visibleColumns, setVisibleColumns] = useState(() => columns.map(({ id }) => id)); + + const json = useSelector(selectors.alertListData); + + const renderCellValue = useMemo(() => { + return ({ rowIndex, columnId }: { rowIndex: number; columnId: string }) => { + if (rowIndex > json.length) { + return null; + } + + const row = json[rowIndex]; + + if (columnId === 'alert_type') { + return row.value.source.endgame.metadata.key; + } else if (columnId === 'event_type') { + return row.value.source.endgame.data.file_operation; + } else if (columnId === 'os') { + return row.value.source.host.os.name; + } else if (columnId === 'ip_address') { + return row.value.source.host.ip; + } else if (columnId === 'host_name') { + return row.value.source.host.hostname; + } else if (columnId === 'timestamp') { + return row.value.source.endgame.timestamp_utc; + } else if (columnId === 'archived') { + return null; + } else if (columnId === 'malware_score') { + return row.value.source.endgame.data.malware_classification.score; + } + return null; + }; + }, [json]); + + return ( + + ); +}); diff --git a/x-pack/plugins/endpoint/public/applications/endpoint/view/use_page_id.ts b/x-pack/plugins/endpoint/public/applications/endpoint/view/use_page_id.ts new file mode 100644 index 0000000000000..9e241af4c0445 --- /dev/null +++ b/x-pack/plugins/endpoint/public/applications/endpoint/view/use_page_id.ts @@ -0,0 +1,20 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { useEffect } from 'react'; +import { useDispatch } from 'react-redux'; +import { PageId } from '../../../../common/types'; +import { RoutingAction } from '../store/routing'; + +/** + * Dispatches a 'userNavigatedToPage' action with the given 'pageId' as the action payload + */ +export function usePageId(pageId: PageId) { + const dispatch: (action: RoutingAction) => unknown = useDispatch(); + useEffect(() => { + dispatch({ type: 'userNavigatedToPage', payload: pageId }); + }, [dispatch, pageId]); +} diff --git a/x-pack/plugins/endpoint/public/embeddables/resolver/store/camera/action.ts b/x-pack/plugins/endpoint/public/embeddables/resolver/store/camera/action.ts index 4153070ab04e7..7d3e64ab34f23 100644 --- a/x-pack/plugins/endpoint/public/embeddables/resolver/store/camera/action.ts +++ b/x-pack/plugins/endpoint/public/embeddables/resolver/store/camera/action.ts @@ -28,7 +28,7 @@ interface UserZoomed { * A value to zoom in by. Should be a fraction of `1`. For a `'wheel'` event when `event.deltaMode` is `'pixel'`, * pass `event.deltaY / -renderHeight` where `renderHeight` is the height of the Resolver element in pixels. */ - payload: number; + readonly payload: number; } interface UserSetRasterSize { diff --git a/x-pack/plugins/endpoint/server/plugin.ts b/x-pack/plugins/endpoint/server/plugin.ts index b1ae2adbdbb35..1f34ba1d36d97 100644 --- a/x-pack/plugins/endpoint/server/plugin.ts +++ b/x-pack/plugins/endpoint/server/plugin.ts @@ -10,6 +10,7 @@ import { PluginSetupContract as FeaturesPluginSetupContract } from '../../featur import { createConfig$, EndpointConfigType } from './config'; import { registerEndpointRoutes } from './routes/endpoints'; import { EndpointAppContext } from './types'; +import { registerAlertRoutes } from './routes/alerts'; export type EndpointPluginStart = void; export type EndpointPluginSetup = void; @@ -68,6 +69,7 @@ export class EndpointPlugin const router = core.http.createRouter(); addRoutes(router); registerEndpointRoutes(router, endpointContext); + registerAlertRoutes(router); } public start() { diff --git a/x-pack/plugins/endpoint/server/routes/alerts.ts b/x-pack/plugins/endpoint/server/routes/alerts.ts new file mode 100644 index 0000000000000..68992b5890928 --- /dev/null +++ b/x-pack/plugins/endpoint/server/routes/alerts.ts @@ -0,0 +1,31 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { IRouter } from 'kibana/server'; + +import json from './sampledata.json'; + +export function registerAlertRoutes(router: IRouter) { + router.get( + { + path: '/api/endpoint/alerts', + validate: false, + options: { authRequired: true }, + }, + async (context, req, res) => { + try { + return res.ok({ + body: json, + headers: { + 'Content-Type': 'application/json', + }, + }); + } catch (err) { + return res.internalError({ body: err }); + } + } + ); +} diff --git a/x-pack/plugins/endpoint/server/routes/sampledata.json b/x-pack/plugins/endpoint/server/routes/sampledata.json new file mode 100644 index 0000000000000..b0d6ae02f9f92 --- /dev/null +++ b/x-pack/plugins/endpoint/server/routes/sampledata.json @@ -0,0 +1,11350 @@ +[ + { + "type": "doc", + "value": { + "id": "huVEc20BW148Je-rzxwQ", + "index": "test_alert_data", + "source": { + "@timestamp": 1542789433000, + "agent": { + "id": "5085268f-7443-4f15-85d2-bf14b2a69c60", + "type": "endgame", + "version": "3.0.0" + }, + "ecs": { + "version": "1.1.0" + }, + "endgame": { + "data": { + "alert_details": { + "acting_process": { + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "12 fb c3 65 d3 1e 18 e4 43 7e ed f7 77 5e 0c fb ", + "subject_name": "Cybereason Inc" + }, + "cert_timestamp": { + "issuer_name": "", + "serial_number": "", + "subject_name": "", + "timestamp_string": "" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "cmdline": "\"C:\\Program Files\\Cybereason ActiveProbe\\AmSvc.exe\"", + "create_time": 1542788400, + "domain": "NT AUTHORITY", + "exe": "C:\\Program Files\\Cybereason ActiveProbe\\AmSvc.exe", + "hashes": { + "md5": "1f2d082566b0fc5f2c238a5180db7451", + "sha1": "ca85243c0af6a6471bdaa560685c51eefd6dbc0d", + "sha256": "8ad40c90a611d36eb8f9eb24fa04f7dbca713db383ff55a03aa0f382e92061a2" + }, + "imphash": "c30d230b81c734e82e86e2e2fe01cd01", + "is_sensor": false, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "md5": "1f2d082566b0fc5f2c238a5180db7451", + "modules": [ + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "12 fb c3 65 d3 1e 18 e4 43 7e ed f7 77 5e 0c fb ", + "subject_name": "Cybereason Inc" + }, + "cert_timestamp": { + "issuer_name": "", + "serial_number": "", + "subject_name": "", + "timestamp_string": "" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1534424710, + "hashes": { + "imphash": "c30d230b81c734e82e86e2e2fe01cd01", + "md5": "1f2d082566b0fc5f2c238a5180db7451", + "sha1": "ca85243c0af6a6471bdaa560685c51eefd6dbc0d", + "sha256": "8ad40c90a611d36eb8f9eb24fa04f7dbca713db383ff55a03aa0f382e92061a2" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 5362483200, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\AmSvc.exe", + "signature_signer": "Cybereason Inc", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 b3 f5 00 00 00 00 00 0d ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 05:28" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258681, + "hashes": { + "imphash": "d41d8cd98f00b204e9800998ecf8427e", + "md5": "3556d5a8bf2cc508bdab51dec38d7c61", + "sha1": "92015f7bbdb9dad35e41c533d2c5b85f1cd63d85", + "sha256": "91e3d98ad3119e8addf8d2aa1dd6795162842fff7101e4c70c5137e847b4ff50" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 2006056960, + "mapped_size": 0, + "path": "C:\\Windows\\SYSTEM32\\ntdll.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258315, + "hashes": { + "imphash": "9165b02c931d76a9b666d8d42128111b", + "md5": "7a6326d96d53048fdec542df23d875a0", + "sha1": "5c02af0206c299f5bcab8da4237cfc92e3e93495", + "sha256": "182351570856cd6eedd9df7e2fb8ab76bd4d8fc70be11ad5de6484cfd70c21c6" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 2004877312, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\kernel32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258316, + "hashes": { + "imphash": "3f7fb1504bb73a54888bf1c3650fe4cf", + "md5": "da68c291b4ef2dec9c5963266bcae454", + "sha1": "5696e8c68fcf64104499e20e7cd5452b58b4f4ba", + "sha256": "21aa4779fc21e762178517268c95467238c92851ad9160bffc36b2379c58337f" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791760109568, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\KERNELBASE.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258929, + "hashes": { + "imphash": "2cb501375ed127591bf5cfee7f1e52fe", + "md5": "fe70103391a64039a921dbfff9c7ab1b", + "sha1": "e0019d9442aeebd3bb42a24c38aa2fae4c6bd4f5", + "sha256": "f7d219d75037bc98f6c69143b00ab6000a31f8b5e211e0af514f4f4b681522a0" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 2003828736, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\USER32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258001, + "hashes": { + "imphash": "51945fdf9aaf56aeb9d6fa1f21b638ce", + "md5": "1084aa52ccc324ea54c7121fa24c2221", + "sha1": "b13ef924708fa88577931ed0337000e90adcdf5b", + "sha256": "6e972cf624f7c0de8190434b3b30279a01c551713109f97b9ebb77fac9364754" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791780163584, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\GDI32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534943, + "hashes": { + "imphash": "919110853c18aa198ad129945337b1dd", + "md5": "d202223587518b13d72d68937b7e3f70", + "sha1": "916a3ce858f074f57dd9dac01be5cd4649f19887", + "sha256": "9db971b866d058adbb518dd99b87c5db8dd1e7c9073755b989ae7e9fb62901e8" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791780622336, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\LPK.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258933, + "hashes": { + "imphash": "17bf46cf6bf6c8cae48be5b75615a353", + "md5": "2f8b1e3ee3545d3b5a8d56fa1ae07b65", + "sha1": "66310680ee38904b2852717af13028e53b4e8b8e", + "sha256": "2a3ec01f3bafe7d7d656886437f7ffecce440c0d3f3467804769ab4bf1ff7a99" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791788552192, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\USP10.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535038, + "hashes": { + "imphash": "8c99b1c0f6cf68b07336751f460f1dba", + "md5": "7319bb10fa1f86e49e3dcf4136f6c957", + "sha1": "3eea5ee8bafb2b9975b236c5c5655df6f4b42aa1", + "sha256": "60de43ab267fd41c9804369b569139add30ed4e295c425f44fc04d3fcc95fca2" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791775444992, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\msvcrt.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534699, + "hashes": { + "imphash": "e1ee2d71958d21e0e1bf887dfe76af7f", + "md5": "6df46d2bd74e3da1b45f08f10d172732", + "sha1": "3491f8f9a73c00b158e43a530210d67a4f0598ae", + "sha256": "2dc945f6f2c4a82189bc7da2fcbb7d9a0e2588a909539249e55ba82468e0c677" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791781736448, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\ADVAPI32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535198, + "hashes": { + "imphash": "b8ba136689cdc8d8b25fc04902f39a22", + "md5": "83404dcbce4925b6a5a77c5170f46d86", + "sha1": "22bda6b9da4fcf492b4dd16554b0c0e27e1b8667", + "sha256": "d669614d0b4461db244ad99fbe1ba92ceb9b4ed5ec8e987e23764e77d9ac7074" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791777214464, + "mapped_size": 0, + "path": "C:\\Windows\\SYSTEM32\\sechost.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258798, + "hashes": { + "imphash": "46876e4adb924a616ddbbb1992d61257", + "md5": "0611473c1ad9e2d991cd9482068417f7", + "sha1": "c4a3fa902dedad5d448e1d8b2d113cae1dcf2f7a", + "sha256": "90afcc2a60350ece27e75e76459132ef0fa28ef283ce88fced4b82735a93ecda" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791787307008, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\RPCRT4.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "12 fb c3 65 d3 1e 18 e4 43 7e ed f7 77 5e 0c fb ", + "subject_name": "Cybereason Inc" + }, + "cert_timestamp": { + "issuer_name": "", + "serial_number": "", + "subject_name": "", + "timestamp_string": "" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1534424472, + "hashes": { + "imphash": "a24cfb84e3006f3634d5b09aed45c264", + "md5": "56e6aa240cf6503265fbe5cf4d5889e8", + "sha1": "2678a3c08b2f82598527bd0c064eb1be5877e277", + "sha256": "4e7e127e2818eeb2de34a9369dcaca233443f085e53706c969592a9907df2ae8" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791710957568, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\AP.dll", + "signature_signer": "Cybereason Inc", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "12 fb c3 65 d3 1e 18 e4 43 7e ed f7 77 5e 0c fb ", + "subject_name": "Cybereason Inc" + }, + "cert_timestamp": { + "issuer_name": "", + "serial_number": "", + "subject_name": "", + "timestamp_string": "" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1534424450, + "hashes": { + "imphash": "f12460104bb4725d7964cf569f727f61", + "md5": "58017789505c114426b63c775debc12b", + "sha1": "0a348ca38bbcf851083578b77a8263765bd9b5e7", + "sha256": "1bd7d7b7b69e15adb6fcf0b520a7107eb5270163935e1f50fcee85ed65440b46" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791706894336, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\Protobuf.dll", + "signature_signer": "Cybereason Inc", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "12 fb c3 65 d3 1e 18 e4 43 7e ed f7 77 5e 0c fb ", + "subject_name": "Cybereason Inc" + }, + "cert_timestamp": { + "issuer_name": "", + "serial_number": "", + "subject_name": "", + "timestamp_string": "" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1438071093, + "hashes": { + "imphash": "341d1190606326748a708433d5d0cc36", + "md5": "0a2be3ed5a71082e5f9296f79323a639", + "sha1": "6acb15e8191b5530297c807d3066b1a71f4326d4", + "sha256": "8847013e01db09adab6a1dc338803df3696730577a0dda847847540529048aae" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791705714688, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\libprotobuf.dll", + "signature_signer": "Cybereason Inc", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Code Signing PCA", + "serial_number": "33 00 00 00 b0 11 af 0a 8b d0 3b 9f dd 00 01 00 00 00 b0 ", + "subject_name": "Microsoft Corporation" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "33 00 00 00 2b 39 32 48 c1 b2 c9 48 f3 00 00 00 00 00 2b ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "10/04/2013 22:49" + }, + "more_info_link": "http://microsoft.com", + "program_name": "msvcp120.dll", + "publisher_link": "" + }, + "compile_time": 1380942867, + "hashes": { + "imphash": "d0a59246eab41d54812cd63c2326e1f1", + "md5": "46060c35f697281bc5e7337aee3722b1", + "sha1": "d0164c041707f297a73abb9ea854111953e99cf1", + "sha256": "2abf0aab5a3c5ae9424b64e9d19d9d6d4aebc67814d7e92e4927b9798fef2848" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791704993792, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\MSVCP120.dll", + "signature_signer": "Microsoft Corporation", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Code Signing PCA", + "serial_number": "33 00 00 00 b0 11 af 0a 8b d0 3b 9f dd 00 01 00 00 00 b0 ", + "subject_name": "Microsoft Corporation" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "33 00 00 00 2b 39 32 48 c1 b2 c9 48 f3 00 00 00 00 00 2b ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "10/04/2013 22:49" + }, + "more_info_link": "http://microsoft.com", + "program_name": "msvcr120.dll", + "publisher_link": "" + }, + "compile_time": 1380942847, + "hashes": { + "imphash": "8f18e22935ef8b336e246ee763fbec97", + "md5": "9c861c079dd81762b6c54e37597b7712", + "sha1": "62cb65a1d79e2c5ada0c7bfc04c18693567c90d0", + "sha256": "ad32240bb1de55c3f5fcac8789f583a17057f9d14914c538c2a7a5ad346b341c" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791704010752, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\MSVCR120.dll", + "signature_signer": "Microsoft Corporation", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258732, + "hashes": { + "imphash": "faad2d5bf5c0ca9639e07a49e8c5d8ae", + "md5": "6c60b5aca7442efb794082cdacfc001c", + "sha1": "aae17944782b25f41f7b3a756532b4923f4ae817", + "sha256": "fc1d9124856a70ff232ef3057d66bee803295847624ce23b4d0217f23af52c75" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791791894528, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\ole32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258736, + "hashes": { + "imphash": "774fed8966de60d3af2dd9070df5be6f", + "md5": "42f05f980f164e084db65b2e8cd8430f", + "sha1": "86498b3c5bbc240b9de0a10f2cb4185e754de6d7", + "sha256": "0813749847b08f6577791d18ad9eca6dff5b41c2f727ab5ee9e5bf9602ed50cb" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791783899136, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\OLEAUT32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258981, + "hashes": { + "imphash": "1ec347d133df2fe4da3e5f8944caeae8", + "md5": "4bbfa57f594f7e8a8edc8f377184c3f0", + "sha1": "d48aafa576b40a5e386e609bba1010472551154a", + "sha256": "9f3ac5dea5a6250c3dbb97af79c81c0a48429486521f807355a1d7d3d861b75f" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791779835904, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WS2_32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535145, + "hashes": { + "imphash": "579f52f57e43aa6ff0d07e88af5d0ff5", + "md5": "044fe45ffd6ad40e3bbbe60b7f41babe", + "sha1": "94233c0d4169c02c85514adb1f05cd3298c87f43", + "sha256": "a1688a5e6e0f7037c850699462c2655006a7d873c97f9ab406c59d81749b6f09" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791791828992, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\NSI.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258859, + "hashes": { + "imphash": "4b37cbf60127ea0550ec30e0b1c52984", + "md5": "eaf32cb8c1f810e4715b4dfbe785c7ff", + "sha1": "3b099b193abb9064e6937101d0c309f04d713882", + "sha256": "db6ad07fded42433e669508ab73faff6daff04575d6f1d016fe3eb6ecec4dd5d" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791784816640, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\SHLWAPI.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257495, + "hashes": { + "imphash": "fd8a6a2046d9572b7f8f4288ae251c61", + "md5": "497bfeddaf3950dd909c3b0c5558a25d", + "sha1": "5d55bdc156372f51eb126f7bc2a8af161a1ef254", + "sha256": "980ea189929d95eb36e35980fff0c81f7b78de9422771fde8f4ac7a779f5bd89" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791730683904, + "mapped_size": 0, + "path": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258138, + "hashes": { + "imphash": "0bc508389b6b5577cf3cca214ca523a7", + "md5": "2b81776da02017a37fe26c662827470e", + "sha1": "8c85389640bea73a009d83079f8b4c963697035f", + "sha256": "a656353c50ee08422145d00db9cfd9f6d3e664753b3c454b171e2a56a8aa94dc" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791725375488, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\IPHLPAPI.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535281, + "hashes": { + "imphash": "e710d6d30f2346e7cd91c89ec3b602d9", + "md5": "4c9210e8f4e052f6a4eb87716da0c24c", + "sha1": "d4fa50aded12eb162478d7606f1270b78dd1a44b", + "sha256": "460f7990bdadb7d58d6dc95b094d30a2efdc4ceed444b18a2f36e8d9076fb8b9" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791725113344, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WINNSI.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247527581, + "hashes": { + "imphash": "be693a67b5b884d7609eaf574ba00955", + "md5": "d87e1e59c73c1f98d5ded5b3850c40f5", + "sha1": "141c0ebecdd2733b90431f18b188ee0b64456268", + "sha256": "536419bff9f877d4314b5d0c045d9a6e729489c389863fadf07e382050bc84fd" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 2007957504, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\PSAPI.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "12 fb c3 65 d3 1e 18 e4 43 7e ed f7 77 5e 0c fb ", + "subject_name": "Cybereason Inc" + }, + "cert_timestamp": { + "issuer_name": "", + "serial_number": "", + "subject_name": "", + "timestamp_string": "" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1472978395, + "hashes": { + "imphash": "3a8c832bddbba9333df28c1da212318e", + "md5": "e1c637922e34d868ebcd6ef199cf1394", + "sha1": "01c19a0137082a03ecace613506af5fe9a66a12b", + "sha256": "0c0c7b4c9926413c285fa2345f08b895888887156277e535851a1f1d774e6c6c" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791703158784, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\SQLite2015.dll", + "signature_signer": "Cybereason Inc", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534912, + "hashes": { + "imphash": "d76d7be0b8ac9aafe17d2cc7deb32b29", + "md5": "aa2c08ce85653b1a0d2e4ab407fa176c", + "sha1": "0119c23d88292a0e4fec04d5cf8629005a44e37c", + "sha256": "83dfd0c119b20aedb07114c9d1cf9ce2dfa938d0f1070256b0591a9e2c3997fa" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791790977024, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\IMM32.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535018, + "hashes": { + "imphash": "b523fff180cb22465ccf191b827e9923", + "md5": "c431eaf5caa1c82cac2534a2eab348a3", + "sha1": "e425577ccfc9b92efbbcb760d21fcaa478d3e51a", + "sha256": "addf850128dc675e67faba9a3d0d27e684f01f733962ca22927bb94503549e44" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791776100352, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\MSCTF.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534874, + "hashes": { + "imphash": "621a31b25a9ef1d128ea281b3eab572b", + "md5": "0040c486584a8e582c861cfb57ab5387", + "sha1": "bcf326e3f79b3db028c2ef1cc1a47d9697e867e7", + "sha256": "5ee17b55cb702d14ae75b19226de21cd2498bda6c6ef5872fdb8a718f401fed1" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791724654592, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\fwpuclnt.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258848, + "hashes": { + "imphash": "cc4d63ca30fdbb90048e549782d2116a", + "md5": "858df0795cb5b4bace0f33708925a414", + "sha1": "e629ed78e6e1829263890974760dad8a431edf69", + "sha256": "a9063af8d5c73a722bd269d144d8a65c98db4cfdd9f626e3a8283754e22c8c9c" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791753031680, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\Secur32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258854, + "hashes": { + "imphash": "9c631776d86c9b15258c3cc2a6a7891d", + "md5": "26e716ed95dc48cf6e5ac046089366af", + "sha1": "2bd96b8ae5ae3ad14c16d2a98a91a9a9f26d179d", + "sha256": "f686d557b7ac1688efc7cb48311290d713d3db2e9e61e947098a7c80e3a1b9e9" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791761092608, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\shell32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "3d b2 9a 36 51 f3 f5 e4 9c e0 79 d2 83 95 76 30 ", + "subject_name": "Bitdefender SRL" + }, + "cert_timestamp": { + "issuer_name": "Symantec Time Stamping Services CA - G2", + "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", + "subject_name": "Symantec Time Stamping Services Signer - G4", + "timestamp_string": "11/29/2016 03:22" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1480418473, + "hashes": { + "imphash": "f89e0a919d52e2b37d82d27f521530cf", + "md5": "f1a6e89598aa63a2efcfd1e31b44fe7c", + "sha1": "cd3a39758e72f42ef077c0ad9dd700509a032da6", + "sha256": "1ee6540520a7a84bc22036be42052303b5aed9911c9e8a04184a0688c63576f8" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791699816448, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\BDUpdateServiceCom.dll", + "signature_signer": "Bitdefender SRL", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258594, + "hashes": { + "imphash": "2bd8f9f72a13c2803ac3d34b805130b9", + "md5": "764908fe1fa96f93c95b1b67a0fced29", + "sha1": "88d0027e5d10158e3678d9eb2326779fef8a64d1", + "sha256": "26ef25ab307903c5e806a8cc3b750a491049e5d1225ceddfce64dd51aa6f592b" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791720656896, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\NETAPI32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258588, + "hashes": { + "imphash": "96f28fef38c977afbf3f6e8f39c0d6b9", + "md5": "6ceca4c6a489c9b2e6073afdaae3f607", + "sha1": "b228f6208642cb99e5bcdf2d3ebda2b8bc4fb020", + "sha256": "127506d1db38275614cbeb047c133718ef9d03266ba9c98be55ec7847cfc9c3d" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791720198144, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\netutils.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258920, + "hashes": { + "imphash": "2d37f2d4b3c246f361ca150fc7ebf8d4", + "md5": "3a9c9baf610b0dd4967086040b3b62a9", + "sha1": "3207ac7f895eab34623d994548d7810e54be3e79", + "sha256": "e8e9a0f42b1ee7806edceed08aa024d037215d06ca317e3678bd5364ad513d23" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791751524352, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\srvcli.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290259010, + "hashes": { + "imphash": "6ad99a405bde55d6a18debafd3f5e5c5", + "md5": "3c91392d448f6e5d525a85b7550d8ba9", + "sha1": "b62eaf7d80617e136a8f3c9161c23464e6f2a171", + "sha256": "6fd0dc73dbe7519e2c643554c2a7f8fbe4f9a678c4241bb54b3c6e65d2abcf3a" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791720067072, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\wkscli.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535234, + "hashes": { + "imphash": "13ecfa3a285149680a7a4b174c8b8f5b", + "md5": "94e026870a55aaeaff7853c1754091e9", + "sha1": "a4f845318e095d841b05e1400747ee4c28e1f28e", + "sha256": "b2f5d5629d12bdfa98dbed3898368f37d9009c7531b6909c7285a2c11c9a0f93" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791741169664, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\VERSION.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "3d b2 9a 36 51 f3 f5 e4 9c e0 79 d2 83 95 76 30 ", + "subject_name": "Bitdefender SRL" + }, + "cert_timestamp": { + "issuer_name": "Symantec Time Stamping Services CA - G2", + "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", + "subject_name": "Symantec Time Stamping Services Signer - G4", + "timestamp_string": "01/18/2017 09:26" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1484760175, + "hashes": { + "imphash": "b33f679b12d9d05d922e720c0e21818c", + "md5": "1e5ea729f6dc5a8aff675a45706d389d", + "sha1": "f5a70ab4772325946a93c9eaf48ebe1dd1e7d3a3", + "sha256": "35da922b25ec8389a733f46a6c0d37c2c6b05463a123cde9fee48402c473e1ef" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791699161088, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\scan.dll", + "signature_signer": "Bitdefender SRL", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "3d b2 9a 36 51 f3 f5 e4 9c e0 79 d2 83 95 76 30 ", + "subject_name": "Bitdefender SRL" + }, + "cert_timestamp": { + "issuer_name": "Symantec Time Stamping Services CA - G2", + "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", + "subject_name": "Symantec Time Stamping Services Signer - G4", + "timestamp_string": "11/22/2016 08:08" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1479830743, + "hashes": { + "imphash": "513a166377e008d25aa2e22983dd13ff", + "md5": "3450d998edec5cdbd03b0df09c17e02d", + "sha1": "558979fb1a9368acdf2dc1e3d1afd94e7343f914", + "sha256": "c1f24493e4fc2a9c5d17e077455c3a610ad1e5fa46590f0f9598e680e5a07556" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791698702336, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\gzfltum.dll", + "signature_signer": "Bitdefender SRL", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "3d b2 9a 36 51 f3 f5 e4 9c e0 79 d2 83 95 76 30 ", + "subject_name": "Bitdefender SRL" + }, + "cert_timestamp": { + "issuer_name": "Symantec Time Stamping Services CA - G2", + "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", + "subject_name": "Symantec Time Stamping Services Signer - G4", + "timestamp_string": "01/16/2017 05:34" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1484573247, + "hashes": { + "imphash": "d6d5dc292fe4d710905e9f280360309d", + "md5": "9f1bcf84eaa34afbdfcf19f22fc1d6f5", + "sha1": "e15e023d46738f4848f64ce853ada6a3083f8b7f", + "sha256": "d1c30b1a7fc63c4f52b00628c3e73f571db52ff2b87718bcb5a6322923f58987" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791696343040, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\bdquar.dll", + "signature_signer": "Bitdefender SRL", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "3d b2 9a 36 51 f3 f5 e4 9c e0 79 d2 83 95 76 30 ", + "subject_name": "Bitdefender SRL" + }, + "cert_timestamp": { + "issuer_name": "Symantec Time Stamping Services CA - G2", + "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", + "subject_name": "Symantec Time Stamping Services Signer - G4", + "timestamp_string": "01/16/2017 05:34" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1484573248, + "hashes": { + "imphash": "4e1a791e94ac955105ddfaac387de22f", + "md5": "874d6017f89a2ef255a16280ed4b1bf7", + "sha1": "8951c3ab1c9ea0c312206b98d22a9779c8a89c8c", + "sha256": "00512202b78037c17a77b095fcb3458381002dbd20de8dee0c99ff7701343cda" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791693721600, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\BDSmartDB.dll", + "signature_signer": "Bitdefender SRL", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257756, + "hashes": { + "imphash": "5cd9d6761799e2ff681533ef1ffbb31d", + "md5": "2477a28081bdaee622cf045acf8ee124", + "sha1": "304c5f29fa847fbd994ad7a0471214198b928c14", + "sha256": "00a09caf9129e84feea98fa03ce9012c9f961b64fee15c4f268822c0f82acc3c" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791757291520, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\CFGMGR32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "DigiCert Assured ID Code Signing CA-1", + "serial_number": "0f b5 4c 96 fd 63 93 fd 7b b9 9c d1 d0 d5 16 ed ", + "subject_name": "Bitdefender SRL" + }, + "cert_timestamp": { + "issuer_name": "Symantec Time Stamping Services CA - G2", + "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", + "subject_name": "Symantec Time Stamping Services Signer - G4", + "timestamp_string": "09/12/2018 01:20" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1512623776, + "hashes": { + "imphash": "e2dab13fa4a67b25d3fbae65a189c521", + "md5": "627d7f1de23e6b01d6251b4c6962e765", + "sha1": "5e1d1854861016198ce4a1dbdea883f257de9463", + "sha256": "82bdf513b5f5b55ff740482ee839b14455b2296e2a911cb9a1ae622969412ed5" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791688937472, + "mapped_size": 0, + "path": "C:\\ProgramData\\apv2\\bd_db\\1\\bdcore.dll", + "signature_signer": "Bitdefender SRL", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "3d b2 9a 36 51 f3 f5 e4 9c e0 79 d2 83 95 76 30 ", + "subject_name": "Bitdefender SRL" + }, + "cert_timestamp": { + "issuer_name": "Symantec Time Stamping Services CA - G2", + "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", + "subject_name": "Symantec Time Stamping Services Signer - G4", + "timestamp_string": "09/13/2017 23:13" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1505278115, + "hashes": { + "imphash": "c2979e6e570392ed85b4e15810f2e90f", + "md5": "3b4c71b64bc20b0c6578a091a031c0fb", + "sha1": "00cb578e723555e929e4ad8e820772b56ce29475", + "sha256": "52db08c10a5f1482dda8527d592f71b33c1cfecfa5a5a2d0be5a78325c41dd7b" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791679827968, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\bdnc.dll", + "signature_signer": "Bitdefender SRL", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257999, + "hashes": { + "imphash": "04534d8dae5ab230b9bee9b1b0b2829d", + "md5": "3f9f2afa135f0663946a006dd5ffd897", + "sha1": "ea6456859b04b68af8dcd453381dd168af53fc5e", + "sha256": "276d1c9c78c529625c2ef3d77079324628686ea184767971901a1de93681c133" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791758209024, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\CRYPT32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258373, + "hashes": { + "imphash": "2e50bc5d9fe777770c8a6b2cfaf6b2e9", + "md5": "884415bd4269c02eaf8e2613bf85500d", + "sha1": "c3a64f05c210b38c69d8f1fc1d74a71b56ada30c", + "sha256": "efe771709ec942694fd206ac8d0a48ed7dcd35036f074268e4aecd68ac982cea" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791757225984, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\MSASN1.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535280, + "hashes": { + "imphash": "af1203c1d6d810c97729856780869b12", + "md5": "ef2ae43bcd46abb13fc3e5b2b1935c73", + "sha1": "c53e005cd04d99331ce3114ac119256133202313", + "sha256": "81fc06f306f620845d7dd8d06e706309e70bc89b589c81f3478302a3f5f73431" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791679172608, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WINMM.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258927, + "hashes": { + "imphash": "b32250da0d30f7782b5b900d4d9c519a", + "md5": "2a86e54b441ad41557f75dc5609b9793", + "sha1": "83ddcf8a1a0ca423bf8417f5e59b5c431bf50c43", + "sha256": "8fede6909413c0fa5b63d58d39affd0f6c3beeaf19b7b2f8674913abfd79a912" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791754866688, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\SSPICLI.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258493, + "hashes": { + "imphash": "466f15f36f10655b30e9347e7dfc2b52", + "md5": "1d5185a4c7e6695431ae4b55c3d7d333", + "sha1": "5e9f739d46e20541ffc0a6421dc6be416ca8f261", + "sha256": "16f3906c54f1d71559836fdfcf4e83e7c9f454463d78fd577ad2d7022e0bcb51" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791748378624, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\mswsock.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535287, + "hashes": { + "imphash": "f967c6b35a5d1b7765016056a842e331", + "md5": "31559f3244c6bc00a52030caa83b6b91", + "sha1": "7943540153c7b7878101a4901d7935e05e7cfd32", + "sha256": "b2025742b5f0025ace9821d5722de3f997eeeab21d2f381c9e307882df422579" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791742021632, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\wshtcpip.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534998, + "hashes": { + "imphash": "77870f98ca4d25a823c74d7404a64bfd", + "md5": "d0c2fbb6d97416b0166478fc7ae2b212", + "sha1": "e290bdf2312ac30a4e9f2a96d7c84714eee84899", + "sha256": "7eab6c37f0a845e645ca44cc060ac6c56e386c7ef7a64716c6786c9602ad8c9d" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791748771840, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\CRYPTSP.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 17:43" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1247535161, + "hashes": { + "imphash": "b8c20a01e4d94df61ee21f5350389f9c", + "md5": "5d8874a8c11dddde29e12de0e2013493", + "sha1": "a1c8e3e6ee44dcb68752d44b3b6f4ecce89c388d", + "sha256": "3e9a57137bf622af83e3e4d58971e2c0200559cca7545d16cf263aa03ee9c7d2" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791745626112, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\rsaenh.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534993, + "hashes": { + "imphash": "f0c6fd6831905d958b05645b680db89f", + "md5": "784fa3df338e2e8f5f0389d6fac428af", + "sha1": "6d32c67c91c6d374854e907c6719db2538540867", + "sha256": "9c8aa0cfdeb9e38aaf8eb08626070e0f0364f4f8a793cfe3532ec6c007980c34" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791755456512, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\CRYPTBASE.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257906, + "hashes": { + "imphash": "ff74e3ff0a015c2023b747f613061e42", + "md5": "a52b6cc24063cc83c78c0e6f24deec01", + "sha1": "a5384efac7d1f9213aaf0423ed0b021bc986b9df", + "sha256": "77e0d2b2356e71f9be52fa479c9dde17c453c198bb49cd4a97f2309628d82e3b" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791746805760, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\DNSAPI.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534791, + "hashes": { + "imphash": "59b31e42f8fae7b5809ba7fcae732e0c", + "md5": "4cbcc37856ea2039c27a2fb661dda0e5", + "sha1": "cc666108d34168420a1d1942dda1e090154c7296", + "sha256": "74cbfab3092a9564bddfcb84db3e3f8bcfd1492938adf187423d3355d73d21c6" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791722557440, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\dhcpcsvc6.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534790, + "hashes": { + "imphash": "f17020f0f66b64fbdf51c75b43f3729d", + "md5": "f568f7c08458d69e4fcd8675bbb107e4", + "sha1": "c1e05f0255a6f386711044b11e2d04dfd328b26a", + "sha256": "a5fa25ecf248999a68ccecfbb508bfa1add18a23e20a9a9081a87c41caaa36c0" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791722426368, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\dhcpcsvc.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534847, + "hashes": { + "imphash": "dda6776607f283829d85b996f5e46d03", + "md5": "f3d202f53a222d5f6944d459b73cf967", + "sha1": "c9db224ce8ec34aa2f341b6766ea67aa12f8b4a7", + "sha256": "e9f1d48eb333d32331bcfd0348fe07bee7d5352292e6020571da395f596affe7" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791675961344, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\FLTLIB.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535135, + "hashes": { + "imphash": "ff720e05e534d67b814b8562265058f5", + "md5": "2c942733a5983dd4502219ff37c7ebc7", + "sha1": "263e8fbf77c0ceead0c9bca56394bffa4a664361", + "sha256": "34b20b6b0d7274e4b5b783f1d2345bc3dd9888964d5c2c65712f041a00cf5b45" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791756308480, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\profapi.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290259008, + "hashes": { + "imphash": "b2ecd39ae0055d9e1b8aa5bc78942cba", + "md5": "eb3f9c2de1236b5d46b2291d82970e43", + "sha1": "0ce9ddc1063256ab571b916389321fd7f572ddc0", + "sha256": "8a43d335f3d573bed98af54bb51e82546c2acc025da8a48d801213eb14e9d5d4" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791759847424, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WINTRUST.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534778, + "hashes": { + "imphash": "37afbae3e0f359c3718e379261f7ccfc", + "md5": "25983de69b57142039ac8d95e71cd9c9", + "sha1": "01691e3b0bfa569e64bdb7dc3d637a867ed2dc08", + "sha256": "a677da7ebcbcb6073d27e8a38809f51e971e83ed379bc599aaad6ef4216348da" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791791173632, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\CLBCatQ.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258799, + "hashes": { + "imphash": "a198edd0f73abd7cdbb54eef82ab1fc6", + "md5": "c2a8cb1275ecb85d246a9ecc02a728e3", + "sha1": "4417207821fc8f5c72ff531683f183caef297882", + "sha256": "3603fadca0060bd201148f9d59e4e2627f024609a6463ab525b5d1ad17bdcd10" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791756177408, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\RpcRtRemote.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258979, + "hashes": { + "imphash": "207b35260128e01bb777acc1377dc241", + "md5": "58f4493bf748a3a89689997b7bd00e95", + "sha1": "9974ba41e8215f6669deb765988cfe34e9c1b56e", + "sha256": "ec5deec73e357c7c87b001275c4e635011a9cf39419f2b86e2c2b8d7e388c551" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791697915904, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\winhttp.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258934, + "hashes": { + "imphash": "01ecfbe4437ca8d85dd9400611c1b90e", + "md5": "bc9489df517c426d4044d99f14449134", + "sha1": "814f9c8c59ee59f2ff3fc1b5e21d5e270babb506", + "sha256": "cabd014ba29a548252bb8d5bd46d047dbfc445489492d9df75b29cede0ac9f8b" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791697457152, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\webio.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257996, + "hashes": { + "imphash": "eb1c8dd21e1f92a8be35a76b165ce8da", + "md5": "52d3d5e3586988d4d9e34acaac33105c", + "sha1": "2c20246d2c45fb6e8976b37ad62465f5f4255f2b", + "sha256": "c61b60ba962b25b8334f0941c3535ea4aca1cc060b8a196e396ca3e11ceef8a1" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791744577536, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\credssp.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535281, + "hashes": { + "imphash": "9e65c315ab3a48dda5ab558165a5002b", + "md5": "ec7cbff96b05ecf3d366355b3c64adcf", + "sha1": "fa74a61ea56a7bc3149860b5344c51fa9b6555bb", + "sha256": "f69ed45ebedca9cf000ac03281f0ec2c351f98513fba90e63394e4e561d6c7a2" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791748313088, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\wship6.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535149, + "hashes": { + "imphash": "c2a02641f5327bf07de486ae7ec62117", + "md5": "88351b29b622b30962d2feb6ca8d860b", + "sha1": "3338d73b6c86fce85b07236ac230e5e2f4601818", + "sha256": "a16cad7d94c1c9807083bb36e9b4c3c14e6482c4ca2bdfacbcc86e737ddce42e" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791678255104, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\rasadhlp.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258810, + "hashes": { + "imphash": "34991d52051c8576ed061e7a2c5a4ae0", + "md5": "a199de544bf5c61c134b22c7592226fc", + "sha1": "03d97c806e4a28bb37d8c8384deddd6ac28acc9d", + "sha256": "af0cc2da847036f5fe6dd9fbeda7c3d05af291873d4eae121676dc6e8841a78f" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791746215936, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\schannel.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535060, + "hashes": { + "imphash": "6a351d0e14283da2cd897563f0062c5b", + "md5": "2e8c52a0ec788d90fa35d9507d828771", + "sha1": "0725085c62d3a5a9a0d50256c2a56161aaca0a07", + "sha256": "dd5aaa10e075f209d9827c7a192ad5645d1156c149db9b5ac1ef7b5e0b5f11de" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791750344704, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\ncrypt.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534713, + "hashes": { + "imphash": "9f3aab7eb2ffeeba57cb67496b05f365", + "md5": "b9a95365e52f421a20e1501935fadda5", + "sha1": "958a7ba90043f8e3b94da849a2da8bb139fc39c9", + "sha256": "ddb4cb575139233efaf2c59b7e9b04af36bbccc63190181f3b2a7e6bfc86e77e" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791750148096, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\bcrypt.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 34 64 00 00 00 00 00 0c ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 05:28" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257648, + "hashes": { + "imphash": "738644d200eea1ceb5661b1ac09aa146", + "md5": "d6c7780a364c6bbacfa796bab9f1b374", + "sha1": "15236c349be131790d21a63550d725cc62b1bf13", + "sha256": "3b5ed1a030bfd0bb73d4ffcd67a6a0b8501ef70293f223efaa12f430adf270f9" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791744839680, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\bcryptprimitives.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258932, + "hashes": { + "imphash": "0e8a67fa12ce3d22a9e1d18bda5c3260", + "md5": "7a17485dc7d8a7ac81321a42cd034519", + "sha1": "83d1722a35eb16b010d8c9f72c627e97d4642101", + "sha256": "88d8705fa901793fc8c1cfd0175e49a6502bf0fc94a066ba573d2fd13aa5f04a" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791743201280, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\USERENV.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534853, + "hashes": { + "imphash": "1bcae470249f30c5f912c1293a2d3470", + "md5": "9c9307c95671ac962f3d6eb3a4a89bae", + "sha1": "6190ce7b101c5946b1d773245d286a1e592f5181", + "sha256": "d1433791c9b8bceead8937ec18d33e89e4e2012b5975228a8500fd141bc30078" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791743070208, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\GPAPI.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + } + ], + "name": "AmSvc.exe", + "parent_exe": "C:\\Windows\\System32\\services.exe", + "parent_name": "services.exe", + "pid": 1076, + "ppid": 432, + "primary_token": { + "domain": "NT AUTHORITY", + "integrity_level": 16384, + "integrity_level_name": "system", + "privileges": [ + { + "description": "Replace a process level token", + "enabled": false, + "name": "SeAssignPrimaryTokenPrivilege" + }, + { + "description": "Lock pages in memory", + "enabled": true, + "name": "SeLockMemoryPrivilege" + }, + { + "description": "Adjust memory quotas for a process", + "enabled": false, + "name": "SeIncreaseQuotaPrivilege" + }, + { + "description": "Act as part of the operating system", + "enabled": true, + "name": "SeTcbPrivilege" + }, + { + "description": "Manage auditing and security log", + "enabled": false, + "name": "SeSecurityPrivilege" + }, + { + "description": "Take ownership of files or other objects", + "enabled": false, + "name": "SeTakeOwnershipPrivilege" + }, + { + "description": "Load and unload device drivers", + "enabled": true, + "name": "SeLoadDriverPrivilege" + }, + { + "description": "Profile system performance", + "enabled": true, + "name": "SeSystemProfilePrivilege" + }, + { + "description": "Change the system time", + "enabled": false, + "name": "SeSystemtimePrivilege" + }, + { + "description": "Profile single process", + "enabled": true, + "name": "SeProfileSingleProcessPrivilege" + }, + { + "description": "Increase scheduling priority", + "enabled": true, + "name": "SeIncreaseBasePriorityPrivilege" + }, + { + "description": "Create a pagefile", + "enabled": true, + "name": "SeCreatePagefilePrivilege" + }, + { + "description": "Create permanent shared objects", + "enabled": true, + "name": "SeCreatePermanentPrivilege" + }, + { + "description": "Back up files and directories", + "enabled": true, + "name": "SeBackupPrivilege" + }, + { + "description": "Restore files and directories", + "enabled": true, + "name": "SeRestorePrivilege" + }, + { + "description": "Shut down the system", + "enabled": false, + "name": "SeShutdownPrivilege" + }, + { + "description": "Debug programs", + "enabled": true, + "name": "SeDebugPrivilege" + }, + { + "description": "Generate security audits", + "enabled": true, + "name": "SeAuditPrivilege" + }, + { + "description": "Modify firmware environment values", + "enabled": false, + "name": "SeSystemEnvironmentPrivilege" + }, + { + "description": "Bypass traverse checking", + "enabled": true, + "name": "SeChangeNotifyPrivilege" + }, + { + "description": "Remove computer from docking station", + "enabled": false, + "name": "SeUndockPrivilege" + }, + { + "description": "Perform volume maintenance tasks", + "enabled": false, + "name": "SeManageVolumePrivilege" + }, + { + "description": "Impersonate a client after authentication", + "enabled": true, + "name": "SeImpersonatePrivilege" + }, + { + "description": "Create global objects", + "enabled": true, + "name": "SeCreateGlobalPrivilege" + }, + { + "description": "Increase a process working set", + "enabled": true, + "name": "SeIncreaseWorkingSetPrivilege" + }, + { + "description": "Change the time zone", + "enabled": true, + "name": "SeTimeZonePrivilege" + }, + { + "description": "Create symbolic links", + "enabled": true, + "name": "SeCreateSymbolicLinkPrivilege" + } + ], + "sid": "S-1-5-18", + "type": "tokenPrimary", + "user": "SYSTEM" + }, + "services": [ + { + "name": "CybereasonAntiMalware" + } + ], + "sha1": "ca85243c0af6a6471bdaa560685c51eefd6dbc0d", + "sha256": "8ad40c90a611d36eb8f9eb24fa04f7dbca713db383ff55a03aa0f382e92061a2", + "sid": "S-1-5-18", + "signature_signer": "Cybereason Inc", + "signature_status": "trusted", + "threads": [ + { + "create_time": 1542788400, + "entrypoint": 5362733988, + "thread_id": 1080, + "up_time": 1084 + }, + { + "create_time": 1542788400, + "entrypoint": 2006167232, + "thread_id": 1108, + "up_time": 1083 + }, + { + "create_time": 1542788400, + "entrypoint": 8791693804752, + "thread_id": 1232, + "up_time": 1080 + }, + { + "create_time": 1542788400, + "entrypoint": 8791693762672, + "thread_id": 1244, + "up_time": 1080 + }, + { + "create_time": 1542788400, + "entrypoint": 8791679862464, + "thread_id": 1392, + "up_time": 1070 + }, + { + "create_time": 1542788400, + "entrypoint": 8791679862464, + "thread_id": 1396, + "up_time": 1070 + }, + { + "create_time": 1542788400, + "entrypoint": 8791679865776, + "thread_id": 1400, + "up_time": 1070 + }, + { + "create_time": 1542788400, + "entrypoint": 8791679929872, + "thread_id": 1404, + "up_time": 1070 + }, + { + "create_time": 1542788400, + "entrypoint": 2006186944, + "thread_id": 1480, + "up_time": 1067 + }, + { + "create_time": 1542788400, + "entrypoint": 8791704162340, + "thread_id": 1632, + "up_time": 1033 + }, + { + "create_time": 1542788400, + "entrypoint": 8791698721056, + "thread_id": 1640, + "up_time": 1033 + }, + { + "create_time": 1542788400, + "entrypoint": 8791698721056, + "thread_id": 1644, + "up_time": 1033 + }, + { + "create_time": 1542788400, + "entrypoint": 8791698721056, + "thread_id": 1648, + "up_time": 1033 + }, + { + "create_time": 1542788400, + "entrypoint": 8791698721056, + "thread_id": 1652, + "up_time": 1033 + }, + { + "create_time": 1542788400, + "entrypoint": 8791698721392, + "thread_id": 1656, + "up_time": 1033 + }, + { + "create_time": 1542788400, + "entrypoint": 8791698720112, + "thread_id": 1660, + "up_time": 1033 + }, + { + "create_time": 1542788400, + "entrypoint": 8791698720736, + "thread_id": 1664, + "up_time": 1033 + }, + { + "create_time": 1542788400, + "entrypoint": 8791698722160, + "thread_id": 1668, + "up_time": 1033 + }, + { + "create_time": 1542788400, + "entrypoint": 5362651040, + "thread_id": 1672, + "up_time": 1033 + }, + { + "create_time": 1542788400, + "entrypoint": 5362651040, + "thread_id": 1680, + "up_time": 1033 + }, + { + "create_time": 1542788900, + "entrypoint": 8791680004352, + "thread_id": 1808, + "up_time": 587 + }, + { + "create_time": 1542789000, + "entrypoint": 2006186944, + "thread_id": 2284, + "up_time": 432 + }, + { + "create_time": 1542789100, + "entrypoint": 2006186944, + "thread_id": 1780, + "up_time": 364 + }, + { + "create_time": 1542789100, + "entrypoint": 2006186944, + "thread_id": 12, + "up_time": 343 + }, + { + "create_time": 1542789200, + "entrypoint": 8791748438592, + "thread_id": 2476, + "up_time": 168 + } + ], + "unique_pid": 22, + "unique_ppid": 8, + "up_time": 1084, + "user": "SYSTEM" + }, + "acting_thread": { + "create_time": 1542788400, + "service_name": "CybereasonAntiMalware", + "thread_id": 1648, + "thread_start_address": 8791698721056, + "thread_start_address_module": "C:\\Program Files\\Cybereason ActiveProbe\\gzfltum.dll" + } + }, + "captured_file": false, + "file_name": "C:\\Windows\\TEMP\\tmp0000008f\\tmp00001c75", + "file_operation": "creation", + "file_owner": "Administrators", + "file_size": 188416, + "hashes": { + "imphash": "835d619dfdf3cc727cebd91300ab3462", + "md5": "4ace3baaa509d08510405e1b169e325b", + "sha1": "27fb21cf5db95ffca43b234affa99becc4023b9d", + "sha256": "6ed1c836dbf099be7845bdab7671def2c157643761b52251e04e9b6ee109ec75" + }, + "is_signature_trusted": false, + "malware_classification": { + "compressed_malware_features": { + "data_buffer": "eAHtnU1oHHUUwHsQ7MGDiIIUD4sH8WBBxJtopiLoUY0pYo2ZTbJJ0yQ17m4+ms/NRzeVWpuUWCL4sWlEYvFQ8KJQ6NCTEA8eRD30sIo3PdSriLi7837Pko3LbHZ2M5m+XObHm/d/X////83O7jCZvzacHBpPplNdfalkdjSdyty674Ft59dN71Dpb9v5eKh8LMEHjsCF2wIfVlRKsHROYPGkQO5+gY2vBSYYdWZFYGwEO/cITHMqkxPYnBBY+07gtCuQ9gSGigJ5lPPYGXcE+jA4z3Ad1ZtAUiDUyrEEPYzqRnIKgxd/Rgc7gygPo5wn95PouN7OeEYJ1UXiJgRmvscgp/LOziIkkSyT+xRVnXhZ4DKh5goCkzidRHkGO4uvCyw9LDDtCay8ILCAzrJOJaGuZwUuvSewivJVIPsklq8JbL4qMJsTSCcExrGs83WKU295ZFo5lr2TaZbcUw5FeJy8tgTeLpCy2iGeS67ABXzlgbEi1UC5FxcZnA4y/CLK82Qxi847FGGZRTLsCUxR1aWEwOp1AmOjDRYYzgwusL9WfqBiGJxnVAanixTq7Dp22LBdlWMJzlOx8wmBK2Rx5WmBLJIRwtAijOQE+ooCb2B5xBOYRtlfNeXpLpA7oyZRTqHzGenkmIJPnhBIMrzTwSA6H93CO5l+c1NA99f6IwLH8fUKdjTmDpTbgS50+gGVnECnE4PpooC2guPoaPADSHrcncNHmEHtAFkq3+EI+A37zsrrTvH3WTkvJLoOTyBp10wx2JcgVCRahA4NrICE4a+hrMXsA3qAHItW188E8ejO7XV3eh/KCYwxlamEwCgL8lN2wTntfrhY/U0g/5KAdvUpT+AszWqBdqH7VLeeZrExK9Cv1UgIDKA8g/cx7QAEP+AhAfRaMKB2HOJh+BSFSqKjSytNGBlc6PrpxvK7lCVDxbSG3Z7AhCMwx6gelwgLAltXBXJUTH29j+U1LHdipx/QprfKfGnF0sBpdBYxmEQyTzW0h6/0khcuhhJYRufym+i4VKMocJMs/KvfoW3/UJb4PeZOSZVONThZz4djP/75TAXa/CVfOvX3RgVLIDreLPN1pP1osW7lGmHsEhjBOzf+EPBE4vndvWz5xb/cChxGcv1LAb+tluALKnZ47isf1MXvz1ZMlsCXbXtPceqhrcp1ps6YHwQeBXLEPCf7q23tl9uJui0bGBgYRAccv7uXr/g5Af+2oNTrpgTa/vnpjBvpLAwM4gRBPvIZGBgYGBgYGBgYGBgYGBgYGBgYGBgYNAOc9oMXs4GBgYFBcNBnww5QzDXgRtPSaZ5lg/itsRaslgZ3bnWEEVnhMetIBwiiVnlbCbWrEftrt11zdwWnseFW1QO63w1is3ptD1pV9xG0t+zvfUrzrvh380qwXWAVCw6h78GIfG7ZlzltXu6hd+y92fECRFhjuH3bXG8N43oXEHperdzvUbteaDxhVTUeq25fqhG1X6Ai8mtF6BDXz2wR+dzSgg4Qsxls5T11XMG+82y8GkG+b7kL69xg7mF1SFvhBgYGsYH/Xi7HE+PVkiB2jt1bNZxT+k4558jR53ydz5//1m1KOgYGBgYGBgYGEQfnsYaG2z1sdPJS79XQSu91ndobOAHCaN5vNzUk1bceQVzUpbw3iOuT+UFmR18bHrp3gyhDC56lCd1y85w2+HSNUwVhhdGC7blLf+bV/fqtvhMg1NDjCcugB1QXswbs8ekj/v1BgzFHBIIsyP+HfwFdMpzu", + "decompressed_size": 27831, + "encoding": "zlib" + }, + "identifier": "endpointpe", + "prevention_threshold": 0.66, + "score": 1, + "threshold": 0.66, + "version": "3.0.33" + }, + "pid": 1076, + "ppid": 432, + "signature_signer": "", + "temp_file_path": "C:\\Windows\\TEMP\\27fef9a8-bd80-4784-934c-76b383147d3f", + "timestamp": { + "accessed": 1542789400, + "created": 1542789400, + "modified": 1542789400 + }, + "user_blacklisted": false + }, + "event_subtype_full": "file_classification_event", + "event_type_full": "alert_event", + "metadata": { + "beta_alert": false, + "chunk_id": 0, + "collection_time": 1542789400, + "correlation_id": "3aab8e43-2cdb-4d32-b46b-b8382ff11939", + "destination_plugin": "send", + "final": true, + "is_alert": true, + "key": "fileClassificationEventResponse", + "message_id": "31b54c77-fdbb-4550-9259-0dce12b98ec2", + "origination_task_id": "7aa040c3-7751-4b8f-9629-9ed4d84c1507", + "os_type": "windows", + "priority": 80, + "result": { + "local_code": 0, + "local_msg": "Success" + }, + "semantic_version": "3.50.0", + "sensor_version": "3.50.0", + "task_id": "7aa040c3-7751-4b8f-9629-9ed4d84c1507", + "type": "detection" + }, + "opcode": 8, + "serial_event_id": 167011, + "timestamp": 132140242101035230, + "timestamp_utc": "2019-09-27 02:16:50Z" + }, + "event": { + "action": "file_classification_event", + "dataset": "esensor", + "kind": "alert", + "module": "endgame" + }, + "host": { + "hostname": "HD-ssm-0b0d26ad", + "ip": "10.81.164.74", + "name": "HD-ssm-0b0d26ad", + "os": { + "name": "Windows", + "platform": "windows", + "version": "6.1" + } + }, + "labels": { + "account_id": "8c48070b-4b61-4ded-86d5-1b9a7a78229c", + "endpoint_id": "5085268f-7443-4f15-85d2-bf14b2a69c60" + }, + "user": { + "group": { + } + } + }, + "type": "_doc" + } + }, + { + "type": "doc", + "value": { + "id": "kuNEc20BW148Je-rmp1N", + "index": "test_alert_data", + "source": { + "@timestamp": 1542341895000, + "agent": { + "id": "ced9c68e-b94a-4d66-bb4c-6106514f0a2f", + "type": "endgame", + "version": "3.0.0" + }, + "ecs": { + "version": "1.1.0" + }, + "endgame": { + "data": { + "alert_details": { + "acting_process": { + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "cmdline": "C:\\Windows\\Explorer.EXE", + "create_time": 1542341500, + "domain": "WIN-Q3DOP1UKA81", + "exe": "C:\\Windows\\explorer.exe", + "hashes": { + "md5": "ac4c51eb24aa95b77f705ab159189e24", + "sha1": "4583daf9442880204730fb2c8a060430640494b1", + "sha256": "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a" + }, + "imphash": "6422e341c67ba0880e012f8c7c634c21", + "is_sensor": false, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "md5": "ac4c51eb24aa95b77f705ab159189e24", + "modules": [ + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290248516, + "hashes": { + "imphash": "6422e341c67ba0880e012f8c7c634c21", + "md5": "ac4c51eb24aa95b77f705ab159189e24", + "sha1": "4583daf9442880204730fb2c8a060430640494b1", + "sha256": "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 4278845440, + "mapped_size": 0, + "path": "C:\\Windows\\Explorer.EXE", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 b3 f5 00 00 00 00 00 0d ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 05:28" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258681, + "hashes": { + "imphash": "d41d8cd98f00b204e9800998ecf8427e", + "md5": "3556d5a8bf2cc508bdab51dec38d7c61", + "sha1": "92015f7bbdb9dad35e41c533d2c5b85f1cd63d85", + "sha256": "91e3d98ad3119e8addf8d2aa1dd6795162842fff7101e4c70c5137e847b4ff50" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 2007891968, + "mapped_size": 0, + "path": "C:\\Windows\\SYSTEM32\\ntdll.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258315, + "hashes": { + "imphash": "9165b02c931d76a9b666d8d42128111b", + "md5": "7a6326d96d53048fdec542df23d875a0", + "sha1": "5c02af0206c299f5bcab8da4237cfc92e3e93495", + "sha256": "182351570856cd6eedd9df7e2fb8ab76bd4d8fc70be11ad5de6484cfd70c21c6" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 2006712320, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\kernel32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258316, + "hashes": { + "imphash": "3f7fb1504bb73a54888bf1c3650fe4cf", + "md5": "da68c291b4ef2dec9c5963266bcae454", + "sha1": "5696e8c68fcf64104499e20e7cd5452b58b4f4ba", + "sha256": "21aa4779fc21e762178517268c95467238c92851ad9160bffc36b2379c58337f" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791760175104, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\KERNELBASE.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534699, + "hashes": { + "imphash": "e1ee2d71958d21e0e1bf887dfe76af7f", + "md5": "6df46d2bd74e3da1b45f08f10d172732", + "sha1": "3491f8f9a73c00b158e43a530210d67a4f0598ae", + "sha256": "2dc945f6f2c4a82189bc7da2fcbb7d9a0e2588a909539249e55ba82468e0c677" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791763779584, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\ADVAPI32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535038, + "hashes": { + "imphash": "8c99b1c0f6cf68b07336751f460f1dba", + "md5": "7319bb10fa1f86e49e3dcf4136f6c957", + "sha1": "3eea5ee8bafb2b9975b236c5c5655df6f4b42aa1", + "sha256": "60de43ab267fd41c9804369b569139add30ed4e295c425f44fc04d3fcc95fca2" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791790780416, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\msvcrt.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535198, + "hashes": { + "imphash": "b8ba136689cdc8d8b25fc04902f39a22", + "md5": "83404dcbce4925b6a5a77c5170f46d86", + "sha1": "22bda6b9da4fcf492b4dd16554b0c0e27e1b8667", + "sha256": "d669614d0b4461db244ad99fbe1ba92ceb9b4ed5ec8e987e23764e77d9ac7074" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791793074176, + "mapped_size": 0, + "path": "C:\\Windows\\SYSTEM32\\sechost.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258798, + "hashes": { + "imphash": "46876e4adb924a616ddbbb1992d61257", + "md5": "0611473c1ad9e2d991cd9482068417f7", + "sha1": "c4a3fa902dedad5d448e1d8b2d113cae1dcf2f7a", + "sha256": "90afcc2a60350ece27e75e76459132ef0fa28ef283ce88fced4b82735a93ecda" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791762403328, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\RPCRT4.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258001, + "hashes": { + "imphash": "51945fdf9aaf56aeb9d6fa1f21b638ce", + "md5": "1084aa52ccc324ea54c7121fa24c2221", + "sha1": "b13ef924708fa88577931ed0337000e90adcdf5b", + "sha256": "6e972cf624f7c0de8190434b3b30279a01c551713109f97b9ebb77fac9364754" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791792615424, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\GDI32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258929, + "hashes": { + "imphash": "2cb501375ed127591bf5cfee7f1e52fe", + "md5": "fe70103391a64039a921dbfff9c7ab1b", + "sha1": "e0019d9442aeebd3bb42a24c38aa2fae4c6bd4f5", + "sha256": "f7d219d75037bc98f6c69143b00ab6000a31f8b5e211e0af514f4f4b681522a0" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 2005663744, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\USER32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534943, + "hashes": { + "imphash": "919110853c18aa198ad129945337b1dd", + "md5": "d202223587518b13d72d68937b7e3f70", + "sha1": "916a3ce858f074f57dd9dac01be5cd4649f19887", + "sha256": "9db971b866d058adbb518dd99b87c5db8dd1e7c9073755b989ae7e9fb62901e8" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791763714048, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\LPK.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258933, + "hashes": { + "imphash": "17bf46cf6bf6c8cae48be5b75615a353", + "md5": "2f8b1e3ee3545d3b5a8d56fa1ae07b65", + "sha1": "66310680ee38904b2852717af13028e53b4e8b8e", + "sha256": "2a3ec01f3bafe7d7d656886437f7ffecce440c0d3f3467804769ab4bf1ff7a99" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791782522880, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\USP10.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258859, + "hashes": { + "imphash": "4b37cbf60127ea0550ec30e0b1c52984", + "md5": "eaf32cb8c1f810e4715b4dfbe785c7ff", + "sha1": "3b099b193abb9064e6937101d0c309f04d713882", + "sha256": "db6ad07fded42433e669508ab73faff6daff04575d6f1d016fe3eb6ecec4dd5d" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791792091136, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\SHLWAPI.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258854, + "hashes": { + "imphash": "9c631776d86c9b15258c3cc2a6a7891d", + "md5": "26e716ed95dc48cf6e5ac046089366af", + "sha1": "2bd96b8ae5ae3ad14c16d2a98a91a9a9f26d179d", + "sha256": "f686d557b7ac1688efc7cb48311290d713d3db2e9e61e947098a7c80e3a1b9e9" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791765811200, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\SHELL32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258732, + "hashes": { + "imphash": "faad2d5bf5c0ca9639e07a49e8c5d8ae", + "md5": "6c60b5aca7442efb794082cdacfc001c", + "sha1": "aae17944782b25f41f7b3a756532b4923f4ae817", + "sha256": "fc1d9124856a70ff232ef3057d66bee803295847624ce23b4d0217f23af52c75" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791783374848, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\ole32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258736, + "hashes": { + "imphash": "774fed8966de60d3af2dd9070df5be6f", + "md5": "42f05f980f164e084db65b2e8cd8430f", + "sha1": "86498b3c5bbc240b9de0a10f2cb4185e754de6d7", + "sha256": "0813749847b08f6577791d18ad9eca6dff5b41c2f727ab5ee9e5bf9602ed50cb" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791785537536, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\OLEAUT32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258088, + "hashes": { + "imphash": "ec96d3f694248151f968633563d10a36", + "md5": "eed05d42d91835064703e2318552ed25", + "sha1": "aa7e817ccad26070bce1161894f97e10aaa56fb9", + "sha256": "e9ee1e2253445b207b76f5d3073c612ed979a982522c1515e0fe8fa9641ae568" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791634935808, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\EXPLORERFRAME.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534886, + "hashes": { + "imphash": "c0e1a4a34891e5dd2a6cbaa0895a8d38", + "md5": "8ccde014a4cdf84564e03ace064ca753", + "sha1": "957e29e029fe60b8ff43ff732463c39230b78226", + "sha256": "dd663029b2eb7b12fdb00fce403d8326141e540e3b9ce84cd5871473d3e2e2cf" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791735599104, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\DUser.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534885, + "hashes": { + "imphash": "9353143c2b77b94cc82ab55c5fecf99c", + "md5": "3cb6a7286422c72c34dab54a5dff1a34", + "sha1": "5b93896a6abb36c2b8957973e3ce1860c1059367", + "sha256": "98d21efff511e407336a226420701e82554da01fa05661303836b6860d63749d" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791721181184, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\DUI70.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534912, + "hashes": { + "imphash": "d76d7be0b8ac9aafe17d2cc7deb32b29", + "md5": "aa2c08ce85653b1a0d2e4ab407fa176c", + "sha1": "0119c23d88292a0e4fec04d5cf8629005a44e37c", + "sha256": "83dfd0c119b20aedb07114c9d1cf9ce2dfa938d0f1070256b0591a9e2c3997fa" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791793205248, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\IMM32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535018, + "hashes": { + "imphash": "b523fff180cb22465ccf191b827e9923", + "md5": "c431eaf5caa1c82cac2534a2eab348a3", + "sha1": "e425577ccfc9b92efbbcb760d21fcaa478d3e51a", + "sha256": "addf850128dc675e67faba9a3d0d27e684f01f733962ca22927bb94503549e44" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791764697088, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\MSCTF.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535251, + "hashes": { + "imphash": "56e651a119cdb899aadd2df3832bbcd1", + "md5": "d29e998e8277666982b4f0303bf4e7af", + "sha1": "e803b0af61ea2ddcd58b5a63b1cfbb73266318ea", + "sha256": "4f19ab5dc173e278ebe45832f6ceaa40e2df6a2eddc81b2828122442fe5d376c" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791742480384, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\UxTheme.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535202, + "hashes": { + "imphash": "1c419f7cfacebfcd8e903e6be290407e", + "md5": "716175021bda290504ce434273f666bc", + "sha1": "4f00fbf4e9a88fae9e6682989032831b3d2eba86", + "sha256": "fa18ca2d8a5f4335e051e2933147d3c1e7308f7d446e2aeb6596cdef6e2afc88" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791718690816, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\POWRPROF.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258850, + "hashes": { + "imphash": "a7a25e8b145e75fdeb21026d3895033a", + "md5": "5d8e6c95156ed1f79a63d1eade6f9ed5", + "sha1": "cadd211d74385550c5e055d3312303f4d64fdebc", + "sha256": "12130837d7f89a2c7e9d25747a8e5b9001e0a38d545178b49b450c23ae62664a" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791788814336, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\SETUPAPI.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257756, + "hashes": { + "imphash": "5cd9d6761799e2ff681533ef1ffbb31d", + "md5": "2477a28081bdaee622cf045acf8ee124", + "sha1": "304c5f29fa847fbd994ad7a0471214198b928c14", + "sha256": "00a09caf9129e84feea98fa03ce9012c9f961b64fee15c4f268822c0f82acc3c" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791760633856, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\CFGMGR32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534817, + "hashes": { + "imphash": "2dbdaadf7e151289a49662379e253dfd", + "md5": "06fec9e8117103bb1141a560e98077da", + "sha1": "a8922793a930d602409b62be5ff01d5baec60000", + "sha256": "c5e61b11ddbbbbba3d9488970524f0975ea5fbdf16e2fa31f579f8bfa48353b1" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791760044032, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\DEVOBJ.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534887, + "hashes": { + "imphash": "e7f2585307f1db90e7e5e48c40dc7134", + "md5": "da1b7075260f3872585bfcdd668c648b", + "sha1": "f2bd334006d728422721b7c639145a6ec59a459b", + "sha256": "3e10ef6e1a5c341b478322cb78a0ab7bfc70ad8023779b8b4542a7cb4ca756ab" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791742873600, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\dwmapi.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535203, + "hashes": { + "imphash": "6a5a31c99a1562b9e5e10f4b4445be95", + "md5": "be097f5bb10f9079fceb2dc4e7e20f02", + "sha1": "dd572bac50bc4718126389c628d56a83d5c4d88a", + "sha256": "90a88986c8c5f30fb153ec803feda6572b2c2630a6c9578fcc017800692694d5" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791732256768, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\slc.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257495, + "hashes": { + "imphash": "fd8a6a2046d9572b7f8f4288ae251c61", + "md5": "497bfeddaf3950dd909c3b0c5558a25d", + "sha1": "5d55bdc156372f51eb126f7bc2a8af161a1ef254", + "sha256": "980ea189929d95eb36e35980fff0c81f7b78de9422771fde8f4ac7a779f5bd89" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791732453376, + "mapped_size": 0, + "path": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258848, + "hashes": { + "imphash": "cc4d63ca30fdbb90048e549782d2116a", + "md5": "858df0795cb5b4bace0f33708925a414", + "sha1": "e629ed78e6e1829263890974760dad8a431edf69", + "sha256": "a9063af8d5c73a722bd269d144d8a65c98db4cfdd9f626e3a8283754e22c8c9c" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791754801152, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\Secur32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258927, + "hashes": { + "imphash": "b32250da0d30f7782b5b900d4d9c519a", + "md5": "2a86e54b441ad41557f75dc5609b9793", + "sha1": "83ddcf8a1a0ca423bf8417f5e59b5c431bf50c43", + "sha256": "8fede6909413c0fa5b63d58d39affd0f6c3beeaf19b7b2f8674913abfd79a912" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791756701696, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\SSPICLI.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258762, + "hashes": { + "imphash": "26c2856b9813d8990c01c5a711b5063a", + "md5": "f06bb4e336ea57511fdbafafcc47de62", + "sha1": "bfee1b9d2269d26d99c8e462825ee8399c8bd4ec", + "sha256": "be43ec62548e9ff89a9495a1722e22dbb76eec3764f86e64057b636f27d15765" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791728259072, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\PROPSYS.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534993, + "hashes": { + "imphash": "f0c6fd6831905d958b05645b680db89f", + "md5": "784fa3df338e2e8f5f0389d6fac428af", + "sha1": "6d32c67c91c6d374854e907c6719db2538540867", + "sha256": "9c8aa0cfdeb9e38aaf8eb08626070e0f0364f4f8a793cfe3532ec6c007980c34" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791757291520, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\CRYPTBASE.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257499, + "hashes": { + "imphash": "cd11f800bc54ae45ead9d98c96048145", + "md5": "7fa8fdc2c2a27817fd0f624e78d3b50c", + "sha1": "b4aa8e16396b1882eb75c28dfbec9949608afdde", + "sha256": "7b63f6aa2cd6d4d07ea3c595b868b1a0749bb11620027a2bd9b935e3055481e4" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791736123392, + "mapped_size": 0, + "path": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258974, + "hashes": { + "imphash": "b03f7d8315f3384d06c11e961e6fee07", + "md5": "26b73a85855681500bcc25c7cd9ff5b1", + "sha1": "393ed9ebbe380c77935df6d0eda2047cdd2224fe", + "sha256": "94d134a6af53ad629a4505b8b0ea37f61bb43af4db71874e7e87853163a9282a" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791724851200, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WindowsCodecs.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535135, + "hashes": { + "imphash": "ff720e05e534d67b814b8562265058f5", + "md5": "2c942733a5983dd4502219ff37c7ebc7", + "sha1": "263e8fbf77c0ceead0c9bca56394bffa4a664361", + "sha256": "34b20b6b0d7274e4b5b783f1d2345bc3dd9888964d5c2c65712f041a00cf5b45" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791758143488, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\profapi.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257558, + "hashes": { + "imphash": "6af6d846a78a6532fcb989d0d8aeb17d", + "md5": "90499f3163a9f815cf196a205ea3cd5d", + "sha1": "f97ff54dc4b132756fcf7041e55d645163f19851", + "sha256": "29b4ed3795cec1177eb367132914ce21c194cdec5db9dc923fd928c85e94d821" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791756898304, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\apphelp.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534778, + "hashes": { + "imphash": "37afbae3e0f359c3718e379261f7ccfc", + "md5": "25983de69b57142039ac8d95e71cd9c9", + "sha1": "01691e3b0bfa569e64bdb7dc3d637a867ed2dc08", + "sha256": "a677da7ebcbcb6073d27e8a38809f51e971e83ed379bc599aaad6ef4216348da" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791787700224, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\CLBCatQ.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534842, + "hashes": { + "imphash": "cbda3eb1c9c46a2121362e9775f60b47", + "md5": "024352feec9042260bb4cfb4d79a206b", + "sha1": "79c23ce566219f87ade8e55a292aaaabe4a639ec", + "sha256": "60cb39086e10c5b66ebc15e4df219620b344b4358d2918ab6bb3448a0ac8be36" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791731994624, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\EhStorShell.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258701, + "hashes": { + "imphash": "37dad3873d5388f07576532bc042f677", + "md5": "7bbf670114373ce6a203fa155a9e0d0a", + "sha1": "104d89dde030b661d05c4c63a03fae1f46ab52d2", + "sha256": "36ef0a36c679e53b1b169289bd3c05d7c2839dc20c8c87bf520b633911fde198" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791647518720, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\ntshrui.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258920, + "hashes": { + "imphash": "2d37f2d4b3c246f361ca150fc7ebf8d4", + "md5": "3a9c9baf610b0dd4967086040b3b62a9", + "sha1": "3207ac7f895eab34623d994548d7810e54be3e79", + "sha256": "e8e9a0f42b1ee7806edceed08aa024d037215d06ca317e3678bd5364ad513d23" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791753228288, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\srvcli.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258010, + "hashes": { + "imphash": "2ba777561101c3b07566cc50db3a564c", + "md5": "1bf0cb861a48feb1638228760750f3cb", + "sha1": "fbc77224c1b444a6ec25e99f995f2f355e4d1d26", + "sha256": "37c781a8c546ead8b4d28bd7d730b9ac78eb799599ad69dad9054b6f9f1dd6bd" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791649091584, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\cscapi.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:35" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1247534897, + "hashes": { + "imphash": "5bf52e420b6d5991bdcce16ada0828dc", + "md5": "1d63f4366288b8a7595397e27010fd44", + "sha1": "e459e1227083e4eabd19ee20e13754560fc7e02d", + "sha256": "99ea4ddd88d9c4a4cc9b238f533cb4d2c062d46239173997e8594d8a75811a01" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791735533568, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\IconCodecService.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534998, + "hashes": { + "imphash": "77870f98ca4d25a823c74d7404a64bfd", + "md5": "d0c2fbb6d97416b0166478fc7ae2b212", + "sha1": "e290bdf2312ac30a4e9f2a96d7c84714eee84899", + "sha256": "7eab6c37f0a845e645ca44cc060ac6c56e386c7ef7a64716c6786c9602ad8c9d" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791750606848, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\CRYPTSP.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 17:43" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1247535161, + "hashes": { + "imphash": "b8c20a01e4d94df61ee21f5350389f9c", + "md5": "5d8874a8c11dddde29e12de0e2013493", + "sha1": "a1c8e3e6ee44dcb68752d44b3b6f4ecce89c388d", + "sha256": "3e9a57137bf622af83e3e4d58971e2c0200559cca7545d16cf263aa03ee9c7d2" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791747461120, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\rsaenh.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258799, + "hashes": { + "imphash": "a198edd0f73abd7cdbb54eef82ab1fc6", + "md5": "c2a8cb1275ecb85d246a9ecc02a728e3", + "sha1": "4417207821fc8f5c72ff531683f183caef297882", + "sha256": "3603fadca0060bd201148f9d59e4e2627f024609a6463ab525b5d1ad17bdcd10" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791758012416, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\RpcRtRemote.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258895, + "hashes": { + "imphash": "4fe9beaa9bd4aa01f5063a7352325c89", + "md5": "d7f1ef374a90709b31591823b002f918", + "sha1": "336ac44b8ee88a6af3f3eaf461b8bdf94fa657ff", + "sha256": "05fd2837c9b03d14bb2a969c1ad77caef047d93dc5d0f6c2acbf0888e8f7b359" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791730683904, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\SndVolSSO.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534873, + "hashes": { + "imphash": "0a90384377303e2a2625725018566a89", + "md5": "896f15a6434d93edb42519d5e18e6b50", + "sha1": "b91a3512a80c4201c3fcfaf62abace894fbba328", + "sha256": "9263f0cec58d45ebe3fb9c3061fb9392c55a7933b84b4592e6ee13cfc86d5a50" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791731929088, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\HID.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534952, + "hashes": { + "imphash": "98a24f570dbcd3a092d95b3bd4e51a53", + "md5": "227e2c382a1e02f8d4965e664d3bbe43", + "sha1": "c4971ba9c1e4fdf0106c7cfab626a3d8737bbd07", + "sha256": "1cff20a8bf87ace4fa4935ebeed72bfb1a1fe902a754899e2f50798d67df5642" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791729504256, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\MMDevApi.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258898, + "hashes": { + "imphash": "e99757a4c1beee1b5bf8b7b33b444dcc", + "md5": "1fcb1a72bf5c784f7358e6bef38e4571", + "sha1": "ef944a320de79bf05f0e30f54f3f8b2ba2e82c4a", + "sha256": "12da4240f8c964eda6223257bd9723fd9372e63ae86f00509163b1de12a5f6c5" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791637426176, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\timedate.cpl", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534704, + "hashes": { + "imphash": "d6de6fde05f96ac848accdb1aef473e4", + "md5": "58775492ffd419248b08325e583c527f", + "sha1": "b0e9ca05d46cb53049c4ca33fe04bd08989a78f9", + "sha256": "dbb013971f5894f25c222c2d4d50a29db6df3c413792ee9ccc1a9e6d85469093" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791732322304, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\ATL.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535266, + "hashes": { + "imphash": "fa1e670045065ff088a4ac664f9ac3d7", + "md5": "9f2bacd5e1776a4bb7cc0ec3c3a4f96d", + "sha1": "ad8c7ec85d532e5725b8535830f27c1abcf139b4", + "sha256": "19959d18601712901f03b83150d15e34ebcab355bb4692c9a28511a72f57fc66" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791730618368, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WINBRAND.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257498, + "hashes": { + "imphash": "53f2c3eaeaa6e619e0ccd6e671e96145", + "md5": "e6f0f82788e8bd0f7a616350efa0761c", + "sha1": "9aa4aafda89325853ffa66169e697529164a23a2", + "sha256": "13091dcb3e3f4f52c3ff210e93aaf1dce142cfc09f671aeac5b922393b23e67b" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791633952768, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\actxprxy.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535165, + "hashes": { + "imphash": "ae5e5f76641aadaf99f0ca29d2e1cadd", + "md5": "1f4492fe41767cdb8b89d17655847cdd", + "sha1": "c836a5e65d56900b6658fdaa3df8579bdd07ec69", + "sha256": "184547fac0c3d7148faa3f601929a7089de393bd19929a137dad743331dd3f77" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791719739392, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\ntmarta.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290259030, + "hashes": { + "imphash": "f792b6ec2e11bc79d8eb1bb1bcb79a91", + "md5": "4e4ffb09d895aa000dd56d1404f69a7e", + "sha1": "40f5c1890f6de5284f6c897255e6907b0272349a", + "sha256": "d999e04bb35780088480eab322176570591a21e311d204bdcab010a63b34d24c" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791794974720, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WLDAP32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258853, + "hashes": { + "imphash": "2507624727988c72eb2a628a990000fd", + "md5": "c4f40f6cacd796a8e16671d0e9a2f319", + "sha1": "0881ae2a2fd3c5f03654410c474e5a25317942b2", + "sha256": "44853c645915d910ed0cc6d38f68b6c222528ec5fcbe990e238010f41204e682" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791729897472, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\shdocvw.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534923, + "hashes": { + "imphash": "e52a872655c57d1b906101b6d5449bbf", + "md5": "a0a65d306a5490d2eb8e7de66898ecfd", + "sha1": "880ac520eb1d38ebb591707a26e6dd300df40643", + "sha256": "ce5da408f4edd5e81ce0925867f03c9a35172cf1571fe4c4c052e45ab69822bb" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791729831936, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\LINKINFO.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258932, + "hashes": { + "imphash": "0e8a67fa12ce3d22a9e1d18bda5c3260", + "md5": "7a17485dc7d8a7ac81321a42cd034519", + "sha1": "83d1722a35eb16b010d8c9f72c627e97d4642101", + "sha256": "88d8705fa901793fc8c1cfd0175e49a6502bf0fc94a066ba573d2fd13aa5f04a" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791745036288, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\USERENV.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258852, + "hashes": { + "imphash": "8b5c65294bec1cf89e97325a24b8cfc5", + "md5": "4e9c2db10f7e6ae91bf761139d4b745b", + "sha1": "6e8e6a53269ca8acc8c2456c80cd3a56d8deb98d", + "sha256": "8f63f78294f5585d599a114af449dcc447ccb239d0f0b490bfe6b34a2146e730" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791704207360, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\shacct.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535152, + "hashes": { + "imphash": "44b39e98ae2946f304f4dbadcfffa307", + "md5": "5b3ebfc3da142324b388ddcc4465e1ff", + "sha1": "86e20ebf70fd35723eb635c4f3684891a2547a7b", + "sha256": "5d58642305311f9bc9b779c9598bfc4e7433b3ea58404bf1ff9466838a2328c7" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791716069376, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\SAMLIB.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258793, + "hashes": { + "imphash": "7fec5787890bfedd3b3aa4082f53a08e", + "md5": "fc51229c7d4afa0d6f186133728b95ab", + "sha1": "f7a2f224356e68b612ecce4512c99f5b9c264d7d", + "sha256": "37e58c8e1c8437d1981725a5dcdaca7316cefbb570370cefc8d122f523b96ac0" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791714168832, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\samcli.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258588, + "hashes": { + "imphash": "96f28fef38c977afbf3f6e8f39c0d6b9", + "md5": "6ceca4c6a489c9b2e6073afdaae3f607", + "sha1": "b228f6208642cb99e5bcdf2d3ebda2b8bc4fb020", + "sha256": "127506d1db38275614cbeb047c133718ef9d03266ba9c98be55ec7847cfc9c3d" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791722426368, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\netutils.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535084, + "hashes": { + "imphash": "14bd8d9a93b98b2479e1f6cd57b7c790", + "md5": "7cb3acb163de051169095dc6507b8977", + "sha1": "b891ebebb25655157f7c612d5763e995c86009a2", + "sha256": "45d4deb0695440d8b5e959945b3f7a773e02e2ab305e316123a1064fc1905402" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791703945216, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\msls31.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257535, + "hashes": { + "imphash": "bf738a2fc0ab0601eea36f35e4cbcd27", + "md5": "0bee002c68e28ce6da161dcf1376d7d7", + "sha1": "d5cc3bec12c801e11217acc6927e1e6e401fe208", + "sha256": "1d4ee0b9ce22d139478008d5591b8c9f027c235cba601f95a96547cf98159d4b" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791631134720, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\authui.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258007, + "hashes": { + "imphash": "76801e47683b36a4115dbe046717edbe", + "md5": "b3bfbd758506ecb50c5804aaa76318f9", + "sha1": "bf6c922467347a6690eb19c5e82be09b3295778b", + "sha256": "34e079a6ab2d41d1e0b3887b6ae31c43941061b7176fff2801c3f465c2c89578" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791630020608, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\CRYPTUI.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257999, + "hashes": { + "imphash": "04534d8dae5ab230b9bee9b1b0b2829d", + "md5": "3f9f2afa135f0663946a006dd5ffd897", + "sha1": "ea6456859b04b68af8dcd453381dd168af53fc5e", + "sha256": "276d1c9c78c529625c2ef3d77079324628686ea184767971901a1de93681c133" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791760896000, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\CRYPT32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258373, + "hashes": { + "imphash": "2e50bc5d9fe777770c8a6b2cfaf6b2e9", + "md5": "884415bd4269c02eaf8e2613bf85500d", + "sha1": "c3a64f05c210b38c69d8f1fc1d74a71b56ada30c", + "sha256": "efe771709ec942694fd206ac8d0a48ed7dcd35036f074268e4aecd68ac982cea" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791759060992, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\MSASN1.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258922, + "hashes": { + "imphash": "75124ca243f494ff6127697f3ebc418a", + "md5": "5fada8b707318e1bd63a7e2b81e6c8cb", + "sha1": "c5ad1c9bbc2f565237a144b9cf44711dfcf65ea5", + "sha256": "2590e88cab52fcc1b24cb262d293131c6280a5f234e0c130e77aa8697efa3b5f" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791793401856, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\urlmon.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258980, + "hashes": { + "imphash": "248b27a31ddf696c2e3bfe6aed9c3eba", + "md5": "f6c5302e1f4813d552f41a0ac82455e5", + "sha1": "f0ec3ad7e90f559d1bc9b8849cf5668cafba2031", + "sha256": "e3ebf44621efc6381baae0f0efc13c356dcb6ee31bb258137edb3cc3e18549b5" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791786455040, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WININET.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258097, + "hashes": { + "imphash": "f6db6123d8a383f58cf318d00d2e7d1d", + "md5": "5180380d353277d395d3b36d790aa93e", + "sha1": "d5622ec5d922233867422d1e143969e226bb9a1c", + "sha256": "89b894eccf65704d00d30ea3bd45b184bfab8345b779f9ae2be66b9fc7226f72" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791780032512, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\iertutil.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535234, + "hashes": { + "imphash": "13ecfa3a285149680a7a4b174c8b8f5b", + "md5": "94e026870a55aaeaff7853c1754091e9", + "sha1": "a4f845318e095d841b05e1400747ee4c28e1f28e", + "sha256": "b2f5d5629d12bdfa98dbed3898368f37d9009c7531b6909c7285a2c11c9a0f93" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791743004672, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\VERSION.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290259004, + "hashes": { + "imphash": "da0bcac0c5f9dc653d00eecd5fb1c801", + "md5": "0d9764d58c5efd672b7184854b152e5e", + "sha1": "99d78db040987c69b6a70a42af86641ba0413956", + "sha256": "9827b43dabbec39ab2e2294408d9c5304ef27a684903c5234c6070387723d49e" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791758209024, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WINSTA.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535280, + "hashes": { + "imphash": "af1203c1d6d810c97729856780869b12", + "md5": "ef2ae43bcd46abb13fc3e5b2b1935c73", + "sha1": "c53e005cd04d99331ce3114ac119256133202313", + "sha256": "81fc06f306f620845d7dd8d06e706309e70bc89b589c81f3478302a3f5f73431" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791683301376, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WINMM.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258936, + "hashes": { + "imphash": "7e9874f9ecf2191b91f9a4dfa37f2ba1", + "md5": "1473768973453de50dc738c2955fc4dd", + "sha1": "7b046f6070844e3bc7deae115a1dfe5825030513", + "sha256": "14bc5da2442cb726acc1f277ddbeccf5d61e3a0a3e083a55a0bb610191e35220" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791648239616, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\wdmaud.drv", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535081, + "hashes": { + "imphash": "086996ef0b01a463f114deb5244861b9", + "md5": "8560fffc8eb3a806dcd4f82252cfc8c6", + "sha1": "7562bbb63b0db6e4986ebdb86495c4fe284a1eaa", + "sha256": "cc27bc092369a89d6147b16568fedeb68b584d5738cd686c31f7fae22ed17b3b" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 1968373760, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\ksuser.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534742, + "hashes": { + "imphash": "690cce63d22e22d9aa225c4a9290b2c4", + "md5": "78a1e65207484b7f8d3217507745f47c", + "sha1": "3542a591e9c97b48739f69e2a193dff461ea097c", + "sha256": "35f413adb9d157f3666dd15dd58104d629cd9143198a1ab914b73a4a3c9903dd" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791718625280, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\AVRT.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257517, + "hashes": { + "imphash": "64661addcde8896487dcc7cd32a4eda9", + "md5": "dc220ae6f64819099f7ebd6f137e32e7", + "sha1": "5707f15b666c7d3b07dfce9dac665a2e45c39113", + "sha256": "b8fe13b859fa83500dd95637fa6d4a5b8392c2a363e41d014d3b5374f636e1de" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791659118592, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\AUDIOSES.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534992, + "hashes": { + "imphash": "3bf8d3fd03f9d07b7821df4b1da2be9d", + "md5": "1b7c3a37362c7b2890168c5fc61c8d9b", + "sha1": "78ba8d596c0ac4c38acb498416957891570a2a1d", + "sha256": "03727930e5bb5f9d91bab901fc9a2e3b795d68e2aee6a2cc3477f356c45a9c54" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791728062464, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\msacm32.drv", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534991, + "hashes": { + "imphash": "9611d7fd4fe3c571fbf1db3d718ba82c", + "md5": "10ac5ce9f78dc281a1bbd9b8cc587b8a", + "sha1": "207582f9d9bec00a932fba886d575ee5b6502d42", + "sha256": "72288c0a88916d3c3828dbd948dbdb0928f26106319f8e60102d6c9004514d60" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791716659200, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\MSACM32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535038, + "hashes": { + "imphash": "5a8ee2f48e79ef6ac4b33366d6642b50", + "md5": "ca2a0750ed830678997695ff61b04c30", + "sha1": "a27df990dde73e72bb02105f8af689a1ac324e59", + "sha256": "e84860cd97aa3c4565abb2d5d406a5c42b1ad2d8ba1b8cf81fe564d91f15f976" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791727996928, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\midimap.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 b3 f5 00 00 00 00 00 0d ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 07:10" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1247535256, + "hashes": { + "imphash": "04a5e982c134477b1914ebcd7b6436d0", + "md5": "d6f630c1fd7f436316093ae500363b19", + "sha1": "197897b74f411040ba7df41a5bd3c1030661b904", + "sha256": "73a94b4938430396ea4240b1a6676b4e6c19cfaf8c52efb9a69b4b2175a86307" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791727734784, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\XmlLite.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258889, + "hashes": { + "imphash": "8181b1ef70ff3d29984db497f92a2662", + "md5": "c3761661c17c2248a9379a8fb89e3de1", + "sha1": "d2ea41e02bbaa77f8b93b09277596a34cdae8853", + "sha256": "ce3477fa2b4058eb80739e0161fe957545f13cf86d313f6422732901d35f75f2" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791617568768, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\stobject.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257641, + "hashes": { + "imphash": "fbe995ff97475c5aa2777a4bc493d4b1", + "md5": "f832eeea97cdda1af577e721f652a0d1", + "sha1": "48f227a1e10d49edf56e3559e05c871bc285c199", + "sha256": "ebbb7ca199ba4df231123922bd310d43de0104c6185b70fe0281b938d5336f2e" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791616782336, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\BatMeter.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535260, + "hashes": { + "imphash": "5d8fff13bf206e589cae241fc7f4d464", + "md5": "bd3674be7fc9d8d3732c83e8499576ed", + "sha1": "cb96190d6366e11dd6e6b48f4cdc4332015cfa67", + "sha256": "e6716a5895d629263a4d21959f48840429ab6f4b55a5fa2663ee5e86c9ca2bf1" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791727538176, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WTSAPI32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290259008, + "hashes": { + "imphash": "b2ecd39ae0055d9e1b8aa5bc78942cba", + "md5": "eb3f9c2de1236b5d46b2291d82970e43", + "sha1": "0ce9ddc1063256ab571b916389321fd7f572ddc0", + "sha256": "8a43d335f3d573bed98af54bb51e82546c2acc025da8a48d801213eb14e9d5d4" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791759781888, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WINTRUST.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534970, + "hashes": { + "imphash": "8accd78cb7feca81ac448f0485be30dc", + "md5": "4166f82be4d24938977dd1746be9b8a0", + "sha1": "5174036d781677f5444d9a23079baf18f4bbda44", + "sha256": "24121751b7306225ad1c808442d7b030def377e9316aa0a3c5c7460e87317881" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791730159616, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\es.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257970, + "hashes": { + "imphash": "8c20d7b93902b8c193a7fc1b4b58e9aa", + "md5": "42a9cb6906d9a8bedc83b57163e62924", + "sha1": "50e5592460d91205e912d55f60a2dd3cc4da4329", + "sha256": "e18522d3137653140757829efbfce624a5baa5842e2bba10b9e5ab6c84be49e1" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791614619648, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\dxp.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258826, + "hashes": { + "imphash": "1df61af51096e9bbbdc1834405984e4c", + "md5": "2d2a6ec8ead30ec3ace2fd6fb1b3e122", + "sha1": "1e77948378474e155307d290b998994f720206bf", + "sha256": "e7ea375a3bde8fc764cb09524344370b9ee25f98ad6c83e6f37a569eb8d277d6" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791614160896, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\prnfldr.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290259000, + "hashes": { + "imphash": "2f59265cb3df847423b60921203365be", + "md5": "0015acfbbdd164a8a730009908868ca7", + "sha1": "671c084513461900550bd49d3dccb58bdbe05adf", + "sha256": "e1ff243ad2cf959fab81efe701592414991c03416ff296adc93906e76b707c4d" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791654924288, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WINSPOOL.DRV", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535225, + "hashes": { + "imphash": "3d49b728c9125f451e7f2f215e9d3bbb", + "md5": "2bc7c9fd0a9f2c9afc373f3ad1ee3891", + "sha1": "1b7c6960a72509d1f408022d791c6a65acb2a75d", + "sha256": "0a82a475301202791a7c10f978f952eab7db146a702d4ea67e24e2c98bc19638" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791648108544, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\Syncreg.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258789, + "hashes": { + "imphash": "c5c69e7d20ca382ddbc49947d651a8e7", + "md5": "10f815be90a66aafc6c713d1bd626064", + "sha1": "3e21f173a6bcdf629c442d89abadc48137c61bb2", + "sha256": "01139fc04bc53594296f6a0e16b8d20b940f64bc8119fe7705c03c4947958f39" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791612325888, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\pnidui.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258791, + "hashes": { + "imphash": "6437e4761b1278fdecf142a679216f7b", + "md5": "b9f0a4020aa98b7a20287bf7fe99a1fd", + "sha1": "1f28ac7493ce972b45de191780a190504d1d0c44", + "sha256": "21138f161eeea46198890c7a2d073f2c82829e15676131bdad9f237edc7477cd" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791612194816, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\QUtil.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535239, + "hashes": { + "imphash": "deeb658dae29d8df1c8dbb08f06801b0", + "md5": "3c073b0c596a0af84933e7406766b040", + "sha1": "06185554c38353211430f5f075c490558e46fb3d", + "sha256": "4698bba678f553e15ad4b07ad7fb236281f872defee97bfd637114476c8f97b3" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791752769536, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\wevtapi.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258586, + "hashes": { + "imphash": "97bb6eee9e1ea3e5751077b655b54de5", + "md5": "a42f2c1eb3b66c54fb3c7b79d30c1a6d", + "sha1": "cee705de8d3dfcc9e2a14e0249d6be61fcd54a18", + "sha256": "a63836db3b01835dc1311526a95198d6ebccb1dc9ddafbc38ec36c128cdb98b9" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791609507840, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\netshell.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258138, + "hashes": { + "imphash": "0bc508389b6b5577cf3cca214ca523a7", + "md5": "2b81776da02017a37fe26c662827470e", + "sha1": "8c85389640bea73a009d83079f8b4c963697035f", + "sha256": "a656353c50ee08422145d00db9cfd9f6d3e664753b3c454b171e2a56a8aa94dc" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791727210496, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535145, + "hashes": { + "imphash": "579f52f57e43aa6ff0d07e88af5d0ff5", + "md5": "044fe45ffd6ad40e3bbbe60b7f41babe", + "sha1": "94233c0d4169c02c85514adb1f05cd3298c87f43", + "sha256": "a1688a5e6e0f7037c850699462c2655006a7d873c97f9ab406c59d81749b6f09" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791763648512, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\NSI.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535281, + "hashes": { + "imphash": "e710d6d30f2346e7cd91c89ec3b602d9", + "md5": "4c9210e8f4e052f6a4eb87716da0c24c", + "sha1": "d4fa50aded12eb162478d7606f1270b78dd1a44b", + "sha256": "460f7990bdadb7d58d6dc95b094d30a2efdc4ceed444b18a2f36e8d9076fb8b9" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791726948352, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\WINNSI.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258583, + "hashes": { + "imphash": "7e01da4b2a8806d2944a3ff2e271958f", + "md5": "2df36f15b2bc1571a6a542a3c2107920", + "sha1": "660a44b660d8e57ef7d7efbbc006ac390a7901fa", + "sha256": "a918f1ee95269df973421af2f5713deeaf15ef0f77baa7e8c515ffb69896fb7a" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791735992320, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\nlaapi.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534791, + "hashes": { + "imphash": "59b31e42f8fae7b5809ba7fcae732e0c", + "md5": "4cbcc37856ea2039c27a2fb661dda0e5", + "sha1": "cc666108d34168420a1d1942dda1e090154c7296", + "sha256": "74cbfab3092a9564bddfcb84db3e3f8bcfd1492938adf187423d3355d73d21c6" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791723999232, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\dhcpcsvc6.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258981, + "hashes": { + "imphash": "1ec347d133df2fe4da3e5f8944caeae8", + "md5": "4bbfa57f594f7e8a8edc8f377184c3f0", + "sha1": "d48aafa576b40a5e386e609bba1010472551154a", + "sha256": "9f3ac5dea5a6250c3dbb97af79c81c0a48429486521f807355a1d7d3d861b75f" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791788486656, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WS2_32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:35" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257492, + "hashes": { + "imphash": "f5d0254c5435291634c8b7357aa536bd", + "md5": "92dbf0a4c9239169010fc6e07859c82e", + "sha1": "634d8c12de82c422dfeba8f9a5fa84d03b7bcd35", + "sha256": "00fb2cf4420f0ffef519afe732a708cf249640121e2a891caa164313abd7f804" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791608655872, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\Actioncenter.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534790, + "hashes": { + "imphash": "f17020f0f66b64fbdf51c75b43f3729d", + "md5": "f568f7c08458d69e4fcd8675bbb107e4", + "sha1": "c1e05f0255a6f386711044b11e2d04dfd328b26a", + "sha256": "a5fa25ecf248999a68ccecfbb508bfa1add18a23e20a9a9081a87c41caaa36c0" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791723868160, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\dhcpcsvc.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257996, + "hashes": { + "imphash": "eb1c8dd21e1f92a8be35a76b165ce8da", + "md5": "52d3d5e3586988d4d9e34acaac33105c", + "sha1": "2c20246d2c45fb6e8976b37ad62465f5f4255f2b", + "sha256": "c61b60ba962b25b8334f0941c3535ea4aca1cc060b8a196e396ca3e11ceef8a1" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791746412544, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\credssp.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258110, + "hashes": { + "imphash": "9ba63732839305b29ebe539451171b45", + "md5": "8130391f82d52d36c0441f714136957f", + "sha1": "e2bb102565986a42d0a43bd3f337f94dbe54eead", + "sha256": "1fd4fee7caf63e450f27729e07ea2a2f09288629fd872dbb6e8710b16d8dbd5d" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791608131584, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\imapi2.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258038, + "hashes": { + "imphash": "e070eff3751fea77ccd424469a9a07e6", + "md5": "6a5c1a8ac0b572679361026d0e900420", + "sha1": "fd9241fdda4b9d08ff1e205f9d5f78923ab884d8", + "sha256": "b5e693b48b462e97738a3d4e58b60846159649eb15f4d11074b4bc107cc88562" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791607345152, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\hgcpl.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535139, + "hashes": { + "imphash": "1e00eab90042e5099339cb82841b434a", + "md5": "f7073c962c4fb7c415565dde109de49f", + "sha1": "671c2e910ff954700b3a1f80608423697895c0a9", + "sha256": "781e7088dcefbc34a808c3e7da41a56112b3f23abe9f54b5ef4d5cd9cd016b1d" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791680090112, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\npmproxy.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258777, + "hashes": { + "imphash": "d402ebf00a5cffa66b6682780c262457", + "md5": "6b851e682a36453e1b1ee297ffb6e2ab", + "sha1": "3dc85ba13d1f720e8039865817bcc65dc0f1d35b", + "sha256": "a641d3fd9463c4788b45b8b5584ea4489c1f63a71b4b595ae85ff3482cd5eda6" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791606099968, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\QAgent.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534818, + "hashes": { + "imphash": "09bf801b36364c598a2a8fdff079932c", + "md5": "cd1b5ad07e5f7fef30e055dcc9e96180", + "sha1": "4e835fdadd0c67fde44e385f69a1014d6ad11f4f", + "sha256": "63c58551f32b0b09377f64a6ae1fa81af93b8a707a57a8c18722086906ad3046" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791745167360, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\DEVRTL.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258413, + "hashes": { + "imphash": "08a9b8e4e42e5520be662b4663289747", + "md5": "1eac1a8ca6874bf5b15e2efb9a9a7b86", + "sha1": "30cff16f17833aa042d8b6cc32d86c4a39c77c67", + "sha256": "e15ed4fefc3010c213694331ddfdc03767682325c898d773ab243e2dc8b08461" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791633100800, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\MsftEdit.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258939, + "hashes": { + "imphash": "6ac24d44010fe2db4d5e9e0651b7a3cf", + "md5": "f9959237f106f2b2609e61a290c0652e", + "sha1": "7f7c92c4fe8244a7deac7fed4d5576042bfba29e", + "sha256": "fccc12e5aae1773bf87b1c4bce71d017db1a5a7ac189559058ea1ecc72075a82" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791628709888, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\werconcpl.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535233, + "hashes": { + "imphash": "cce75846cdf9d74f85e44fc728ee8440", + "md5": "9689a9c7f7c2a1a423cda2c3b43fff65", + "sha1": "ebe6b3066634239a4f62780a8a6e27f33b0afc87", + "sha256": "914ad22d98975578bc14d821f72e8dfce24f2092f9c299d24ebbaf5408fe8b8b" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791646994432, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\wer.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257998, + "hashes": { + "imphash": "6e52c6bdbfd3d257064382284bd4f59c", + "md5": "1484b9ebf567346582de571b0e164ae0", + "sha1": "6b87eb7005fe659f976732307fe12b96747dfc8d", + "sha256": "9862bf22b2e32dabe7a82acee5b4ea1f0a93bdc3c71b20a6a4e568cccd76a7a6" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791628382208, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\framedynos.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535235, + "hashes": { + "imphash": "64b92457c7762d63f903189058d583ca", + "md5": "7e591867422dc788b9e5bd337a669a08", + "sha1": "3bd1b2a2271d6756351d9b4876193efd8a845da0", + "sha256": "484e6bccdf7adce9a1aacad1bc7c7d7694b9e40fa90d94b14d80c607784f6c75" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791628251136, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\wercplsupport.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258497, + "hashes": { + "imphash": "2814c7c81c59e8a913c288a8c72a9c1c", + "md5": "5c29199c9f0ede64f17f268084ec4392", + "sha1": "a767e893427f9b24fe06cbb3a155dd54162a402a", + "sha256": "ea9fd588a8c89399dd287399a912b356a4234cfe418239b227d255749f5ddde2" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791652564992, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\msxml6.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:35" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1247534858, + "hashes": { + "imphash": "2ab209fb6a68c8e15483324a442c1c4c", + "md5": "809ae7d4ace06bbcf621e5c504bf6fc8", + "sha1": "c0e2202d99db67a9efa6c67226410ad3c7b657a6", + "sha256": "0baab89fb57468f27446947d75cbd6ddfc92d9b8f040144a12656803b2f7bf65" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791722491904, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\hcproviders.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 b3 f5 00 00 00 00 00 0d ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:36" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258095, + "hashes": { + "imphash": "328b1cd6b239c7c01904019379bede4b", + "md5": "77a8a1791145710c7efe76ea82bf0763", + "sha1": "e421318d7b6d66c9214722c736f5b3d4207acf74", + "sha256": "9488b96e065299d273f9dcc82aa1203b48f0038d4f27324da19e9bfd925ca737" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791627726848, + "mapped_size": 0, + "path": "C:\\Program Files\\Internet Explorer\\ieproxy.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258892, + "hashes": { + "imphash": "ec50511b4e46da8b1a467667a84f8047", + "md5": "9cead32e79a62150fe9f8557e58e008b", + "sha1": "4cbd17b96209b5e2da683382e05cef55f48d6107", + "sha256": "afe4c1725ee94d7de0749ae1495a4e5cc33c369f29b2a589da66ffe27ff9777e" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791757357056, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\SXS.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258896, + "hashes": { + "imphash": "d75a096a9c47b1fd385a268e9c6f2f68", + "md5": "24f4b480f335a6c724af352253c5d98b", + "sha1": "a388cc90338cec7b5eec66e921599de0cc275a2b", + "sha256": "011413b236cad7b78ce0a0eec3e3085d48c7576a3205d025ba6ebfdf590538e4" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791660232704, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\thumbcache.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247527581, + "hashes": { + "imphash": "be693a67b5b884d7609eaf574ba00955", + "md5": "d87e1e59c73c1f98d5ded5b3850c40f5", + "sha1": "141c0ebecdd2733b90431f18b188ee0b64456268", + "sha256": "536419bff9f877d4314b5d0c045d9a6e729489c389863fadf07e382050bc84fd" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 2009726976, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\PSAPI.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 b3 f5 00 00 00 00 00 0d ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:36" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258093, + "hashes": { + "imphash": "39d5c5468a8e87803234025334b9dc09", + "md5": "f1115299b9f4c983bc4523b33e3a506c", + "sha1": "639946c23b630798284a92117882990ea31d702e", + "sha256": "01a1d8b3e5cf727f92f4a43d5c5f81022127d58a850d29d3f084ad411efbc9dd" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791578836992, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\ieframe.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535131, + "hashes": { + "imphash": "84786d42c8a896b9a971b3c9eb8feb4c", + "md5": "9869a4a10b90546dbd56947839fb4b87", + "sha1": "5d9642f314d62dc5834cbd7950230bad3f85d982", + "sha256": "66c84dcf39d9f6896d55b1623184a028891a0a98abe6044de1d4bad60c3c8d72" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791591157760, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\OLEACC.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258887, + "hashes": { + "imphash": "e6c083bfcedd032db2c66cd04f74c620", + "md5": "4e81439902079c348b61d7ff027fe147", + "sha1": "4386a5580b459aa4a0701addb753c3f9bf3da6f7", + "sha256": "e652c9ec77745504689532b3c394959f9b5bc29e9c008cb9ee09cda818514fa9" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791658594304, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\StructuredQuery.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258589, + "hashes": { + "imphash": "45badcf3f18f69f9f72af5245898d1cb", + "md5": "405f4d32d2185f1f1bd753d8eeaffb3a", + "sha1": "68bc45bac1e1584c789a6b3134bee5a2540f3e56", + "sha256": "cac42c3e09c43be96592b670d70821386014db22d8239a9cfb9e33e54fb5c3d5" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791656890368, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\NetworkExplorer.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258495, + "hashes": { + "imphash": "cdb39fb77293fb1bb86c2d5980ea8e88", + "md5": "022b05cee68d7826a93aedb4f1eb369e", + "sha1": "e7055d6cacb8c3fae06dc10ad480c8e6b8b7b592", + "sha256": "3b864d1471ed0949b02f1fa251b987185abeaddcbecd44efdbb6a7b7f03ca8bc" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791625760768, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\msxml3.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258914, + "hashes": { + "imphash": "6b6c83729fa36b04c301494d1eb07752", + "md5": "bb074f35b49eb2ea416962b596281e1e", + "sha1": "355fdb9e66ffad42144b1b6ec4d8eb357ed05d52", + "sha256": "e07208204b9616027e5144e2f3ef1ba81168365b7d2a761210b0fbc65b97871e" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791623598080, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\systemcpl.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258594, + "hashes": { + "imphash": "2bd8f9f72a13c2803ac3d34b805130b9", + "md5": "764908fe1fa96f93c95b1b67a0fced29", + "sha1": "88d0027e5d10158e3678d9eb2326779fef8a64d1", + "sha256": "26ef25ab307903c5e806a8cc3b750a491049e5d1225ceddfce64dd51aa6f592b" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791722557440, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\NETAPI32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290259010, + "hashes": { + "imphash": "6ad99a405bde55d6a18debafd3f5e5c5", + "md5": "3c91392d448f6e5d525a85b7550d8ba9", + "sha1": "b62eaf7d80617e136a8f3c9161c23464e6f2a171", + "sha256": "6fd0dc73dbe7519e2c643554c2a7f8fbe4f9a678c4241bb54b3c6e65d2abcf3a" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791722295296, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\wkscli.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534877, + "hashes": { + "imphash": "3e340766bf7f54e3e9746a945d4dcb71", + "md5": "a77be7cb3222b4fb0ac6c71d1c2698d4", + "sha1": "e68b4e0058fb130c765e5aa98af36e26563809db", + "sha256": "73566223914bf670df6b5931fa213e546713531b10391ed65b5256bbd7abde7f" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791735926784, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\DSROLE.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258758, + "hashes": { + "imphash": "c888173aa662e52d4b6194ed15819a13", + "md5": "db76db15efc6e4d1153a6c5bc895948d", + "sha1": "00dc6172c4507def32e4a269c08e76ab09abc3fe", + "sha256": "71ddf02c7ee2df66a08f1a2a08da39802c354624880a2be93a706ea7476422a3" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791690641408, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\SPPC.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 b3 f5 00 00 00 00 00 0d ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 07:10" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1247535243, + "hashes": { + "imphash": "9484a9d0a0e3ef20592c9f66412400a6", + "md5": "666a60f6f5e719856ff6254e0966eff7", + "sha1": "10258e708443bd21997e7a977b5ee36bd758e368", + "sha256": "58c072e7e215991e19c1ca062c476081982f7b9f039714539ae7feb4981c200f" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791716200448, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\wbem\\wbemprox.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 b3 f5 00 00 00 00 00 0d ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 07:10" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258938, + "hashes": { + "imphash": "03a62984ba62616e18740e69949df533", + "md5": "7db5aa22a8a8e5c2d335f44853c1f6de", + "sha1": "add6f6e2b6df5f571d06db724de5c7badad4e775", + "sha256": "a734a20357026c42950394682a52cbc3af956d09f1949e1b4e95467e999bc428" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791690051584, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\wbemcomn.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535244, + "hashes": { + "imphash": "6178a249d43f815225b0a9205f1f4f70", + "md5": "718b6f51ab7f6fe2988a36868f9ad3ab", + "sha1": "7cc84a20d6597f58eebabea5489d72239c6e746b", + "sha256": "76141b4e94c2766e2c34cef523092948771a7893212efadbe88d2171b85ff012" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791683170304, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\wbem\\wbemsvc.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 b3 f5 00 00 00 00 00 0d ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 07:10" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1247534846, + "hashes": { + "imphash": "c93ca8ec08e734d1b95c2a2d28884c47", + "md5": "a3f5e8ec1316c3e2562b82694a251c9e", + "sha1": "f0cdc2b44e609950ee97d9967c7459055a2af1a8", + "sha256": "f3dc6aa6a9d3b5bbc730668fc52c1d4bb5d515d404578bddd3d4869a7ed58822" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791688675328, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\wbem\\fastprox.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535150, + "hashes": { + "imphash": "29f9ce11d25836037034b49be93790c6", + "md5": "ee26d130808d16c0e417bbbed0451b34", + "sha1": "962d52fb4d8f9965c5fc11a98f2f9048a2a5d918", + "sha256": "4886dce4faef146a40babd492a8000a2022fea542a6135a9bafd4cd09297b4e5" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791688478720, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\NTDSAPI.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258103, + "hashes": { + "imphash": "ba45ab39c8fb40e4076d27cf8e0f4180", + "md5": "b8509dcfcfd577f568be4026bfd982c0", + "sha1": "1923c5995faf94d9b1767aca04e3134a5cedc07a", + "sha256": "e3608e6de15c400fa437349e7295fef10a1a0213ca3b532a58964b8c89749110" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791788355584, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\imagehlp.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + } + ], + "name": "explorer.exe", + "parent_exe": "", + "parent_name": "", + "pid": 784, + "ppid": 704, + "primary_token": { + "domain": "WIN-Q3DOP1UKA81", + "integrity_level": 12288, + "integrity_level_name": "high", + "privileges": [ + { + "description": "Adjust memory quotas for a process", + "enabled": false, + "name": "SeIncreaseQuotaPrivilege" + }, + { + "description": "Manage auditing and security log", + "enabled": false, + "name": "SeSecurityPrivilege" + }, + { + "description": "Take ownership of files or other objects", + "enabled": false, + "name": "SeTakeOwnershipPrivilege" + }, + { + "description": "Load and unload device drivers", + "enabled": false, + "name": "SeLoadDriverPrivilege" + }, + { + "description": "Profile system performance", + "enabled": false, + "name": "SeSystemProfilePrivilege" + }, + { + "description": "Change the system time", + "enabled": false, + "name": "SeSystemtimePrivilege" + }, + { + "description": "Profile single process", + "enabled": false, + "name": "SeProfileSingleProcessPrivilege" + }, + { + "description": "Increase scheduling priority", + "enabled": false, + "name": "SeIncreaseBasePriorityPrivilege" + }, + { + "description": "Create a pagefile", + "enabled": false, + "name": "SeCreatePagefilePrivilege" + }, + { + "description": "Back up files and directories", + "enabled": false, + "name": "SeBackupPrivilege" + }, + { + "description": "Restore files and directories", + "enabled": false, + "name": "SeRestorePrivilege" + }, + { + "description": "Shut down the system", + "enabled": false, + "name": "SeShutdownPrivilege" + }, + { + "description": "Debug programs", + "enabled": false, + "name": "SeDebugPrivilege" + }, + { + "description": "Modify firmware environment values", + "enabled": false, + "name": "SeSystemEnvironmentPrivilege" + }, + { + "description": "Bypass traverse checking", + "enabled": true, + "name": "SeChangeNotifyPrivilege" + }, + { + "description": "Force shutdown from a remote system", + "enabled": false, + "name": "SeRemoteShutdownPrivilege" + }, + { + "description": "Remove computer from docking station", + "enabled": false, + "name": "SeUndockPrivilege" + }, + { + "description": "Perform volume maintenance tasks", + "enabled": false, + "name": "SeManageVolumePrivilege" + }, + { + "description": "Impersonate a client after authentication", + "enabled": true, + "name": "SeImpersonatePrivilege" + }, + { + "description": "Create global objects", + "enabled": true, + "name": "SeCreateGlobalPrivilege" + }, + { + "description": "Increase a process working set", + "enabled": false, + "name": "SeIncreaseWorkingSetPrivilege" + }, + { + "description": "Change the time zone", + "enabled": false, + "name": "SeTimeZonePrivilege" + }, + { + "description": "Create symbolic links", + "enabled": false, + "name": "SeCreateSymbolicLinkPrivilege" + } + ], + "sid": "S-1-5-21-2016385190-3414718578-1263322444-500", + "type": "tokenPrimary", + "user": "Administrator" + }, + "sha1": "4583daf9442880204730fb2c8a060430640494b1", + "sha256": "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a", + "sid": "S-1-5-21-2016385190-3414718578-1263322444-500", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted", + "threads": [ + { + "create_time": 1542341500, + "entrypoint": 4279023504, + "thread_id": 1920, + "up_time": 437 + }, + { + "create_time": 1542341500, + "entrypoint": 2008002240, + "thread_id": 1812, + "up_time": 437 + }, + { + "create_time": 1542341500, + "entrypoint": 8791783440744, + "thread_id": 2472, + "up_time": 436 + }, + { + "create_time": 1542341500, + "entrypoint": 8791792141832, + "thread_id": 2468, + "up_time": 436 + }, + { + "create_time": 1542341500, + "entrypoint": 8791790810108, + "thread_id": 2464, + "up_time": 436 + }, + { + "create_time": 1542341500, + "entrypoint": 8791792141832, + "thread_id": 2476, + "up_time": 435 + }, + { + "create_time": 1542341500, + "entrypoint": 2008021952, + "thread_id": 1800, + "up_time": 434 + }, + { + "create_time": 1542341500, + "entrypoint": 2008021952, + "thread_id": 2516, + "up_time": 433 + }, + { + "create_time": 1542341500, + "entrypoint": 8791792141832, + "thread_id": 2500, + "up_time": 433 + }, + { + "create_time": 1542341500, + "entrypoint": 8791792141832, + "thread_id": 1068, + "up_time": 432 + }, + { + "create_time": 1542341500, + "entrypoint": 8791792141832, + "thread_id": 2676, + "up_time": 428 + }, + { + "create_time": 1542341500, + "entrypoint": 8791792141832, + "thread_id": 2660, + "up_time": 428 + }, + { + "create_time": 1542341500, + "entrypoint": 8791792141832, + "thread_id": 2748, + "up_time": 428 + }, + { + "create_time": 1542341500, + "entrypoint": 8791729529348, + "thread_id": 2636, + "up_time": 428 + }, + { + "create_time": 1542341500, + "entrypoint": 8791792141832, + "thread_id": 2732, + "up_time": 424 + }, + { + "create_time": 1542341500, + "entrypoint": 8791783440744, + "thread_id": 1472, + "up_time": 419 + }, + { + "create_time": 1542341500, + "entrypoint": 2008021952, + "thread_id": 2220, + "up_time": 415 + }, + { + "create_time": 1542341800, + "entrypoint": 2008021952, + "thread_id": 2332, + "up_time": 104 + }, + { + "create_time": 1542341800, + "entrypoint": 2008021952, + "thread_id": 3712, + "up_time": 99 + }, + { + "create_time": 1542341800, + "entrypoint": 8791792141832, + "thread_id": 2080, + "up_time": 85 + }, + { + "create_time": 1542341800, + "entrypoint": 2008021952, + "thread_id": 4012, + "up_time": 81 + }, + { + "create_time": 1542341800, + "entrypoint": 2008021952, + "thread_id": 4060, + "up_time": 81 + }, + { + "create_time": 1542341800, + "entrypoint": 2008021952, + "thread_id": 520, + "up_time": 77 + }, + { + "create_time": 1542341800, + "entrypoint": 2008021952, + "thread_id": 3236, + "up_time": 74 + }, + { + "create_time": 1542341800, + "entrypoint": 2008021952, + "thread_id": 3260, + "up_time": 72 + }, + { + "create_time": 1542341900, + "entrypoint": 8791792141832, + "thread_id": 3680, + "up_time": 56 + }, + { + "create_time": 1542341900, + "entrypoint": 2008021952, + "thread_id": 3708, + "up_time": 55 + }, + { + "create_time": 1542341900, + "entrypoint": 2008021952, + "thread_id": 2512, + "up_time": 55 + }, + { + "create_time": 1542341900, + "entrypoint": 8791792141832, + "thread_id": 3748, + "up_time": 54 + }, + { + "create_time": 1542341900, + "entrypoint": 8791690668104, + "thread_id": 3872, + "up_time": 51 + }, + { + "create_time": 1542341900, + "entrypoint": 8791683305488, + "thread_id": 1016, + "up_time": 26 + }, + { + "create_time": 1542341900, + "entrypoint": 2008021952, + "thread_id": 3520, + "up_time": 26 + }, + { + "create_time": 1542341900, + "entrypoint": 8791792141832, + "thread_id": 3992, + "up_time": 13 + }, + { + "create_time": 1542341900, + "entrypoint": 8791760904360, + "thread_id": 3604, + "up_time": 12 + } + ], + "unique_pid": 35, + "unique_ppid": 0, + "up_time": 437, + "user": "Administrator" + } + }, + "captured_file": false, + "file_name": "C:\\Users\\Administrator\\Downloads\\endpointpe-blacklist-test.exe", + "file_operation": "open", + "file_owner": "Administrators", + "file_size": 188416, + "hashes": { + "imphash": "835d619dfdf3cc727cebd91300ab3462", + "md5": "4ace3baaa509d08510405e1b169e325b", + "sha1": "27fb21cf5db95ffca43b234affa99becc4023b9d", + "sha256": "6ed1c836dbf099be7845bdab7671def2c157643761b52251e04e9b6ee109ec75" + }, + "is_signature_trusted": false, + "malware_classification": { + "compressed_malware_features": { + "data_buffer": "eAHtnU1oHHUUwHsQ7MGDiIIUD4sH8WBBxJtopiLoUY0pYo2ZTbJJ0yQ17m4+ms/NRzeVWpuUWCL4sWlEYvFQ8KJQ6NCTEA8eRD30sIo3PdSriLi7837Pko3LbHZ2M5m+XObHm/d/X////83O7jCZvzacHBpPplNdfalkdjSdyty674Ft59dN71Dpb9v5eKh8LMEHjsCF2wIfVlRKsHROYPGkQO5+gY2vBSYYdWZFYGwEO/cITHMqkxPYnBBY+07gtCuQ9gSGigJ5lPPYGXcE+jA4z3Ad1ZtAUiDUyrEEPYzqRnIKgxd/Rgc7gygPo5wn95PouN7OeEYJ1UXiJgRmvscgp/LOziIkkSyT+xRVnXhZ4DKh5goCkzidRHkGO4uvCyw9LDDtCay8ILCAzrJOJaGuZwUuvSewivJVIPsklq8JbL4qMJsTSCcExrGs83WKU295ZFo5lr2TaZbcUw5FeJy8tgTeLpCy2iGeS67ABXzlgbEi1UC5FxcZnA4y/CLK82Qxi847FGGZRTLsCUxR1aWEwOp1AmOjDRYYzgwusL9WfqBiGJxnVAanixTq7Dp22LBdlWMJzlOx8wmBK2Rx5WmBLJIRwtAijOQE+ooCb2B5xBOYRtlfNeXpLpA7oyZRTqHzGenkmIJPnhBIMrzTwSA6H93CO5l+c1NA99f6IwLH8fUKdjTmDpTbgS50+gGVnECnE4PpooC2guPoaPADSHrcncNHmEHtAFkq3+EI+A37zsrrTvH3WTkvJLoOTyBp10wx2JcgVCRahA4NrICE4a+hrMXsA3qAHItW188E8ejO7XV3eh/KCYwxlamEwCgL8lN2wTntfrhY/U0g/5KAdvUpT+AszWqBdqH7VLeeZrExK9Cv1UgIDKA8g/cx7QAEP+AhAfRaMKB2HOJh+BSFSqKjSytNGBlc6PrpxvK7lCVDxbSG3Z7AhCMwx6gelwgLAltXBXJUTH29j+U1LHdipx/QprfKfGnF0sBpdBYxmEQyTzW0h6/0khcuhhJYRufym+i4VKMocJMs/KvfoW3/UJb4PeZOSZVONThZz4djP/75TAXa/CVfOvX3RgVLIDreLPN1pP1osW7lGmHsEhjBOzf+EPBE4vndvWz5xb/cChxGcv1LAb+tluALKnZ47isf1MXvz1ZMlsCXbXtPceqhrcp1ps6YHwQeBXLEPCf7q23tl9uJui0bGBgYRAccv7uXr/g5Af+2oNTrpgTa/vnpjBvpLAwM4gRBPvIZGBgYGBgYGBgYGBgYGBgYGBgYGBgYNAOc9oMXs4GBgYFBcNBnww5QzDXgRtPSaZ5lg/itsRaslgZ3bnWEEVnhMetIBwiiVnlbCbWrEftrt11zdwWnseFW1QO63w1is3ptD1pV9xG0t+zvfUrzrvh380qwXWAVCw6h78GIfG7ZlzltXu6hd+y92fECRFhjuH3bXG8N43oXEHperdzvUbteaDxhVTUeq25fqhG1X6Ai8mtF6BDXz2wR+dzSgg4Qsxls5T11XMG+82y8GkG+b7kL69xg7mF1SFvhBgYGsYH/Xi7HE+PVkiB2jt1bNZxT+k4558jR53ydz5//1m1KOgYGBgYGBgYGEQfnsYaG2z1sdPJS79XQSu91ndobOAHCaN5vNzUk1bceQVzUpbw3iOuT+UFmR18bHrp3gyhDC56lCd1y85w2+HSNUwVhhdGC7blLf+bV/fqtvhMg1NDjCcugB1QXswbs8ekj/v1BgzFHBIIsyP+HfwFdMpzu", + "decompressed_size": 27831, + "encoding": "zlib" + }, + "identifier": "endpointpe", + "prevention_threshold": 0.66, + "score": 1, + "threshold": 0.66, + "version": "3.0.33" + }, + "pid": 784, + "ppid": 704, + "signature_signer": "", + "temp_file_path": "C:\\Windows\\TEMP\\581ac9e2-e9ea-499e-8ec6-d7eed985b6c3", + "timestamp": { + "accessed": 1542341100, + "created": 1542341100, + "modified": 1542341100 + }, + "user_blacklisted": false + }, + "event_subtype_full": "file_classification_event", + "event_type_full": "alert_event", + "metadata": { + "beta_alert": false, + "chunk_id": 0, + "collection_time": 1542341900, + "correlation_id": "9a754fa1-f526-4390-9adf-640cae174f66", + "destination_plugin": "send", + "final": true, + "is_alert": true, + "key": "fileClassificationEventResponse", + "message_id": "7b97295f-3aae-4dc8-944f-039f1064c55b", + "origination_task_id": "010d9a4e-dd34-4dfa-b283-a492a5785e90", + "os_type": "windows", + "priority": 80, + "result": { + "local_code": 0, + "local_msg": "Success" + }, + "semantic_version": "3.50.0", + "sensor_version": "3.50.0", + "task_id": "010d9a4e-dd34-4dfa-b283-a492a5785e90", + "type": "prevention" + }, + "opcode": 8, + "serial_event_id": 141336, + "timestamp": 132140205750594450, + "timestamp_utc": "2019-09-27 01:16:15Z" + }, + "event": { + "action": "file_classification_event", + "dataset": "esensor", + "kind": "alert", + "module": "endgame" + }, + "host": { + "hostname": "HD-c15-bc09190a", + "ip": "10.179.244.14", + "name": "HD-c15-bc09190a", + "os": { + "name": "Windows", + "platform": "windows", + "version": "6.1" + } + }, + "labels": { + "account_id": "8c48070b-4b61-4ded-86d5-1b9a7a78229c", + "endpoint_id": "ced9c68e-b94a-4d66-bb4c-6106514f0a2f" + }, + "user": { + "group": { + } + } + }, + "type": "_doc" + } + }, + { + "type": "doc", + "value": { + "id": "9ONEc20BW148Je-ro712", + "index": "test_alert_data", + "source": { + "@timestamp": 1542346435000, + "agent": { + "id": "c89dc040-2350-4d59-baea-9ff2e369136f", + "type": "endgame", + "version": "3.0.0" + }, + "ecs": { + "version": "1.1.0" + }, + "endgame": { + "data": { + "alert_details": { + "acting_process": { + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "12 fb c3 65 d3 1e 18 e4 43 7e ed f7 77 5e 0c fb ", + "subject_name": "Cybereason Inc" + }, + "cert_timestamp": { + "issuer_name": "", + "serial_number": "", + "subject_name": "", + "timestamp_string": "" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "cmdline": "\"C:\\Program Files\\Cybereason ActiveProbe\\AmSvc.exe\"", + "create_time": 1542345900, + "domain": "NT AUTHORITY", + "exe": "C:\\Program Files\\Cybereason ActiveProbe\\AmSvc.exe", + "hashes": { + "md5": "1f2d082566b0fc5f2c238a5180db7451", + "sha1": "ca85243c0af6a6471bdaa560685c51eefd6dbc0d", + "sha256": "8ad40c90a611d36eb8f9eb24fa04f7dbca713db383ff55a03aa0f382e92061a2" + }, + "imphash": "c30d230b81c734e82e86e2e2fe01cd01", + "is_sensor": false, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "md5": "1f2d082566b0fc5f2c238a5180db7451", + "modules": [ + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "12 fb c3 65 d3 1e 18 e4 43 7e ed f7 77 5e 0c fb ", + "subject_name": "Cybereason Inc" + }, + "cert_timestamp": { + "issuer_name": "", + "serial_number": "", + "subject_name": "", + "timestamp_string": "" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1534424710, + "hashes": { + "imphash": "c30d230b81c734e82e86e2e2fe01cd01", + "md5": "1f2d082566b0fc5f2c238a5180db7451", + "sha1": "ca85243c0af6a6471bdaa560685c51eefd6dbc0d", + "sha256": "8ad40c90a611d36eb8f9eb24fa04f7dbca713db383ff55a03aa0f382e92061a2" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 5354225664, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\AmSvc.exe", + "signature_signer": "Cybereason Inc", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 b3 f5 00 00 00 00 00 0d ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 05:28" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258681, + "hashes": { + "imphash": "d41d8cd98f00b204e9800998ecf8427e", + "md5": "3556d5a8bf2cc508bdab51dec38d7c61", + "sha1": "92015f7bbdb9dad35e41c533d2c5b85f1cd63d85", + "sha256": "91e3d98ad3119e8addf8d2aa1dd6795162842fff7101e4c70c5137e847b4ff50" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 2001141760, + "mapped_size": 0, + "path": "C:\\Windows\\SYSTEM32\\ntdll.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258315, + "hashes": { + "imphash": "9165b02c931d76a9b666d8d42128111b", + "md5": "7a6326d96d53048fdec542df23d875a0", + "sha1": "5c02af0206c299f5bcab8da4237cfc92e3e93495", + "sha256": "182351570856cd6eedd9df7e2fb8ab76bd4d8fc70be11ad5de6484cfd70c21c6" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 1999962112, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\kernel32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258316, + "hashes": { + "imphash": "3f7fb1504bb73a54888bf1c3650fe4cf", + "md5": "da68c291b4ef2dec9c5963266bcae454", + "sha1": "5696e8c68fcf64104499e20e7cd5452b58b4f4ba", + "sha256": "21aa4779fc21e762178517268c95467238c92851ad9160bffc36b2379c58337f" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791752769536, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\KERNELBASE.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258929, + "hashes": { + "imphash": "2cb501375ed127591bf5cfee7f1e52fe", + "md5": "fe70103391a64039a921dbfff9c7ab1b", + "sha1": "e0019d9442aeebd3bb42a24c38aa2fae4c6bd4f5", + "sha256": "f7d219d75037bc98f6c69143b00ab6000a31f8b5e211e0af514f4f4b681522a0" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 1998913536, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\USER32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258001, + "hashes": { + "imphash": "51945fdf9aaf56aeb9d6fa1f21b638ce", + "md5": "1084aa52ccc324ea54c7121fa24c2221", + "sha1": "b13ef924708fa88577931ed0337000e90adcdf5b", + "sha256": "6e972cf624f7c0de8190434b3b30279a01c551713109f97b9ebb77fac9364754" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791766269952, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\GDI32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534943, + "hashes": { + "imphash": "919110853c18aa198ad129945337b1dd", + "md5": "d202223587518b13d72d68937b7e3f70", + "sha1": "916a3ce858f074f57dd9dac01be5cd4649f19887", + "sha256": "9db971b866d058adbb518dd99b87c5db8dd1e7c9073755b989ae7e9fb62901e8" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791758929920, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\LPK.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258933, + "hashes": { + "imphash": "17bf46cf6bf6c8cae48be5b75615a353", + "md5": "2f8b1e3ee3545d3b5a8d56fa1ae07b65", + "sha1": "66310680ee38904b2852717af13028e53b4e8b8e", + "sha256": "2a3ec01f3bafe7d7d656886437f7ffecce440c0d3f3467804769ab4bf1ff7a99" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791760175104, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\USP10.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535038, + "hashes": { + "imphash": "8c99b1c0f6cf68b07336751f460f1dba", + "md5": "7319bb10fa1f86e49e3dcf4136f6c957", + "sha1": "3eea5ee8bafb2b9975b236c5c5655df6f4b42aa1", + "sha256": "60de43ab267fd41c9804369b569139add30ed4e295c425f44fc04d3fcc95fca2" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791765286912, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\msvcrt.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534699, + "hashes": { + "imphash": "e1ee2d71958d21e0e1bf887dfe76af7f", + "md5": "6df46d2bd74e3da1b45f08f10d172732", + "sha1": "3491f8f9a73c00b158e43a530210d67a4f0598ae", + "sha256": "2dc945f6f2c4a82189bc7da2fcbb7d9a0e2588a909539249e55ba82468e0c677" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791761027072, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\ADVAPI32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535198, + "hashes": { + "imphash": "b8ba136689cdc8d8b25fc04902f39a22", + "md5": "83404dcbce4925b6a5a77c5170f46d86", + "sha1": "22bda6b9da4fcf492b4dd16554b0c0e27e1b8667", + "sha256": "d669614d0b4461db244ad99fbe1ba92ceb9b4ed5ec8e987e23764e77d9ac7074" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791789010944, + "mapped_size": 0, + "path": "C:\\Windows\\SYSTEM32\\sechost.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258798, + "hashes": { + "imphash": "46876e4adb924a616ddbbb1992d61257", + "md5": "0611473c1ad9e2d991cd9482068417f7", + "sha1": "c4a3fa902dedad5d448e1d8b2d113cae1dcf2f7a", + "sha256": "90afcc2a60350ece27e75e76459132ef0fa28ef283ce88fced4b82735a93ecda" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791770726400, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\RPCRT4.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "12 fb c3 65 d3 1e 18 e4 43 7e ed f7 77 5e 0c fb ", + "subject_name": "Cybereason Inc" + }, + "cert_timestamp": { + "issuer_name": "", + "serial_number": "", + "subject_name": "", + "timestamp_string": "" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1534424472, + "hashes": { + "imphash": "a24cfb84e3006f3634d5b09aed45c264", + "md5": "56e6aa240cf6503265fbe5cf4d5889e8", + "sha1": "2678a3c08b2f82598527bd0c064eb1be5877e277", + "sha256": "4e7e127e2818eeb2de34a9369dcaca233443f085e53706c969592a9907df2ae8" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791706042368, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\AP.dll", + "signature_signer": "Cybereason Inc", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "12 fb c3 65 d3 1e 18 e4 43 7e ed f7 77 5e 0c fb ", + "subject_name": "Cybereason Inc" + }, + "cert_timestamp": { + "issuer_name": "", + "serial_number": "", + "subject_name": "", + "timestamp_string": "" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1534424450, + "hashes": { + "imphash": "f12460104bb4725d7964cf569f727f61", + "md5": "58017789505c114426b63c775debc12b", + "sha1": "0a348ca38bbcf851083578b77a8263765bd9b5e7", + "sha256": "1bd7d7b7b69e15adb6fcf0b520a7107eb5270163935e1f50fcee85ed65440b46" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791701979136, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\Protobuf.dll", + "signature_signer": "Cybereason Inc", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "12 fb c3 65 d3 1e 18 e4 43 7e ed f7 77 5e 0c fb ", + "subject_name": "Cybereason Inc" + }, + "cert_timestamp": { + "issuer_name": "", + "serial_number": "", + "subject_name": "", + "timestamp_string": "" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1438071093, + "hashes": { + "imphash": "341d1190606326748a708433d5d0cc36", + "md5": "0a2be3ed5a71082e5f9296f79323a639", + "sha1": "6acb15e8191b5530297c807d3066b1a71f4326d4", + "sha256": "8847013e01db09adab6a1dc338803df3696730577a0dda847847540529048aae" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791700799488, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\libprotobuf.dll", + "signature_signer": "Cybereason Inc", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Code Signing PCA", + "serial_number": "33 00 00 00 b0 11 af 0a 8b d0 3b 9f dd 00 01 00 00 00 b0 ", + "subject_name": "Microsoft Corporation" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "33 00 00 00 2b 39 32 48 c1 b2 c9 48 f3 00 00 00 00 00 2b ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "10/04/2013 22:49" + }, + "more_info_link": "http://microsoft.com", + "program_name": "msvcp120.dll", + "publisher_link": "" + }, + "compile_time": 1380942867, + "hashes": { + "imphash": "d0a59246eab41d54812cd63c2326e1f1", + "md5": "46060c35f697281bc5e7337aee3722b1", + "sha1": "d0164c041707f297a73abb9ea854111953e99cf1", + "sha256": "2abf0aab5a3c5ae9424b64e9d19d9d6d4aebc67814d7e92e4927b9798fef2848" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791700078592, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\MSVCP120.dll", + "signature_signer": "Microsoft Corporation", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Code Signing PCA", + "serial_number": "33 00 00 00 b0 11 af 0a 8b d0 3b 9f dd 00 01 00 00 00 b0 ", + "subject_name": "Microsoft Corporation" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "33 00 00 00 2b 39 32 48 c1 b2 c9 48 f3 00 00 00 00 00 2b ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "10/04/2013 22:49" + }, + "more_info_link": "http://microsoft.com", + "program_name": "msvcr120.dll", + "publisher_link": "" + }, + "compile_time": 1380942847, + "hashes": { + "imphash": "8f18e22935ef8b336e246ee763fbec97", + "md5": "9c861c079dd81762b6c54e37597b7712", + "sha1": "62cb65a1d79e2c5ada0c7bfc04c18693567c90d0", + "sha256": "ad32240bb1de55c3f5fcac8789f583a17057f9d14914c538c2a7a5ad346b341c" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791699095552, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\MSVCR120.dll", + "signature_signer": "Microsoft Corporation", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258732, + "hashes": { + "imphash": "faad2d5bf5c0ca9639e07a49e8c5d8ae", + "md5": "6c60b5aca7442efb794082cdacfc001c", + "sha1": "aae17944782b25f41f7b3a756532b4923f4ae817", + "sha256": "fc1d9124856a70ff232ef3057d66bee803295847624ce23b4d0217f23af52c75" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791767121920, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\ole32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258736, + "hashes": { + "imphash": "774fed8966de60d3af2dd9070df5be6f", + "md5": "42f05f980f164e084db65b2e8cd8430f", + "sha1": "86498b3c5bbc240b9de0a10f2cb4185e754de6d7", + "sha256": "0813749847b08f6577791d18ad9eca6dff5b41c2f727ab5ee9e5bf9602ed50cb" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791769808896, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\OLEAUT32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258981, + "hashes": { + "imphash": "1ec347d133df2fe4da3e5f8944caeae8", + "md5": "4bbfa57f594f7e8a8edc8f377184c3f0", + "sha1": "d48aafa576b40a5e386e609bba1010472551154a", + "sha256": "9f3ac5dea5a6250c3dbb97af79c81c0a48429486521f807355a1d7d3d861b75f" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791771971584, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WS2_32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535145, + "hashes": { + "imphash": "579f52f57e43aa6ff0d07e88af5d0ff5", + "md5": "044fe45ffd6ad40e3bbbe60b7f41babe", + "sha1": "94233c0d4169c02c85514adb1f05cd3298c87f43", + "sha256": "a1688a5e6e0f7037c850699462c2655006a7d873c97f9ab406c59d81749b6f09" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791756898304, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\NSI.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258859, + "hashes": { + "imphash": "4b37cbf60127ea0550ec30e0b1c52984", + "md5": "eaf32cb8c1f810e4715b4dfbe785c7ff", + "sha1": "3b099b193abb9064e6937101d0c309f04d713882", + "sha256": "db6ad07fded42433e669508ab73faff6daff04575d6f1d016fe3eb6ecec4dd5d" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791759650816, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\SHLWAPI.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257495, + "hashes": { + "imphash": "fd8a6a2046d9572b7f8f4288ae251c61", + "md5": "497bfeddaf3950dd909c3b0c5558a25d", + "sha1": "5d55bdc156372f51eb126f7bc2a8af161a1ef254", + "sha256": "980ea189929d95eb36e35980fff0c81f7b78de9422771fde8f4ac7a779f5bd89" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791725768704, + "mapped_size": 0, + "path": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258138, + "hashes": { + "imphash": "0bc508389b6b5577cf3cca214ca523a7", + "md5": "2b81776da02017a37fe26c662827470e", + "sha1": "8c85389640bea73a009d83079f8b4c963697035f", + "sha256": "a656353c50ee08422145d00db9cfd9f6d3e664753b3c454b171e2a56a8aa94dc" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791720460288, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\IPHLPAPI.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535281, + "hashes": { + "imphash": "e710d6d30f2346e7cd91c89ec3b602d9", + "md5": "4c9210e8f4e052f6a4eb87716da0c24c", + "sha1": "d4fa50aded12eb162478d7606f1270b78dd1a44b", + "sha256": "460f7990bdadb7d58d6dc95b094d30a2efdc4ceed444b18a2f36e8d9076fb8b9" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791720198144, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WINNSI.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247527581, + "hashes": { + "imphash": "be693a67b5b884d7609eaf574ba00955", + "md5": "d87e1e59c73c1f98d5ded5b3850c40f5", + "sha1": "141c0ebecdd2733b90431f18b188ee0b64456268", + "sha256": "536419bff9f877d4314b5d0c045d9a6e729489c389863fadf07e382050bc84fd" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 2003042304, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\PSAPI.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "12 fb c3 65 d3 1e 18 e4 43 7e ed f7 77 5e 0c fb ", + "subject_name": "Cybereason Inc" + }, + "cert_timestamp": { + "issuer_name": "", + "serial_number": "", + "subject_name": "", + "timestamp_string": "" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1472978395, + "hashes": { + "imphash": "3a8c832bddbba9333df28c1da212318e", + "md5": "e1c637922e34d868ebcd6ef199cf1394", + "sha1": "01c19a0137082a03ecace613506af5fe9a66a12b", + "sha256": "0c0c7b4c9926413c285fa2345f08b895888887156277e535851a1f1d774e6c6c" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791698243584, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\SQLite2015.dll", + "signature_signer": "Cybereason Inc", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534912, + "hashes": { + "imphash": "d76d7be0b8ac9aafe17d2cc7deb32b29", + "md5": "aa2c08ce85653b1a0d2e4ab407fa176c", + "sha1": "0119c23d88292a0e4fec04d5cf8629005a44e37c", + "sha256": "83dfd0c119b20aedb07114c9d1cf9ce2dfa938d0f1070256b0591a9e2c3997fa" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791766073344, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\IMM32.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535018, + "hashes": { + "imphash": "b523fff180cb22465ccf191b827e9923", + "md5": "c431eaf5caa1c82cac2534a2eab348a3", + "sha1": "e425577ccfc9b92efbbcb760d21fcaa478d3e51a", + "sha256": "addf850128dc675e67faba9a3d0d27e684f01f733962ca22927bb94503549e44" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791761944576, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\MSCTF.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534874, + "hashes": { + "imphash": "621a31b25a9ef1d128ea281b3eab572b", + "md5": "0040c486584a8e582c861cfb57ab5387", + "sha1": "bcf326e3f79b3db028c2ef1cc1a47d9697e867e7", + "sha256": "5ee17b55cb702d14ae75b19226de21cd2498bda6c6ef5872fdb8a718f401fed1" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791719346176, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\fwpuclnt.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258848, + "hashes": { + "imphash": "cc4d63ca30fdbb90048e549782d2116a", + "md5": "858df0795cb5b4bace0f33708925a414", + "sha1": "e629ed78e6e1829263890974760dad8a431edf69", + "sha256": "a9063af8d5c73a722bd269d144d8a65c98db4cfdd9f626e3a8283754e22c8c9c" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791748050944, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\Secur32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258854, + "hashes": { + "imphash": "9c631776d86c9b15258c3cc2a6a7891d", + "md5": "26e716ed95dc48cf6e5ac046089366af", + "sha1": "2bd96b8ae5ae3ad14c16d2a98a91a9a9f26d179d", + "sha256": "f686d557b7ac1688efc7cb48311290d713d3db2e9e61e947098a7c80e3a1b9e9" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791772299264, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\shell32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "3d b2 9a 36 51 f3 f5 e4 9c e0 79 d2 83 95 76 30 ", + "subject_name": "Bitdefender SRL" + }, + "cert_timestamp": { + "issuer_name": "Symantec Time Stamping Services CA - G2", + "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", + "subject_name": "Symantec Time Stamping Services Signer - G4", + "timestamp_string": "11/29/2016 03:22" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1480418473, + "hashes": { + "imphash": "f89e0a919d52e2b37d82d27f521530cf", + "md5": "f1a6e89598aa63a2efcfd1e31b44fe7c", + "sha1": "cd3a39758e72f42ef077c0ad9dd700509a032da6", + "sha256": "1ee6540520a7a84bc22036be42052303b5aed9911c9e8a04184a0688c63576f8" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791694901248, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\BDUpdateServiceCom.dll", + "signature_signer": "Bitdefender SRL", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258594, + "hashes": { + "imphash": "2bd8f9f72a13c2803ac3d34b805130b9", + "md5": "764908fe1fa96f93c95b1b67a0fced29", + "sha1": "88d0027e5d10158e3678d9eb2326779fef8a64d1", + "sha256": "26ef25ab307903c5e806a8cc3b750a491049e5d1225ceddfce64dd51aa6f592b" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791715807232, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\NETAPI32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258588, + "hashes": { + "imphash": "96f28fef38c977afbf3f6e8f39c0d6b9", + "md5": "6ceca4c6a489c9b2e6073afdaae3f607", + "sha1": "b228f6208642cb99e5bcdf2d3ebda2b8bc4fb020", + "sha256": "127506d1db38275614cbeb047c133718ef9d03266ba9c98be55ec7847cfc9c3d" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791715676160, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\netutils.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258920, + "hashes": { + "imphash": "2d37f2d4b3c246f361ca150fc7ebf8d4", + "md5": "3a9c9baf610b0dd4967086040b3b62a9", + "sha1": "3207ac7f895eab34623d994548d7810e54be3e79", + "sha256": "e8e9a0f42b1ee7806edceed08aa024d037215d06ca317e3678bd5364ad513d23" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791746609152, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\srvcli.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290259010, + "hashes": { + "imphash": "6ad99a405bde55d6a18debafd3f5e5c5", + "md5": "3c91392d448f6e5d525a85b7550d8ba9", + "sha1": "b62eaf7d80617e136a8f3c9161c23464e6f2a171", + "sha256": "6fd0dc73dbe7519e2c643554c2a7f8fbe4f9a678c4241bb54b3c6e65d2abcf3a" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791715545088, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\wkscli.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535234, + "hashes": { + "imphash": "13ecfa3a285149680a7a4b174c8b8f5b", + "md5": "94e026870a55aaeaff7853c1754091e9", + "sha1": "a4f845318e095d841b05e1400747ee4c28e1f28e", + "sha256": "b2f5d5629d12bdfa98dbed3898368f37d9009c7531b6909c7285a2c11c9a0f93" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791736254464, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\VERSION.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "3d b2 9a 36 51 f3 f5 e4 9c e0 79 d2 83 95 76 30 ", + "subject_name": "Bitdefender SRL" + }, + "cert_timestamp": { + "issuer_name": "Symantec Time Stamping Services CA - G2", + "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", + "subject_name": "Symantec Time Stamping Services Signer - G4", + "timestamp_string": "01/18/2017 09:26" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1484760175, + "hashes": { + "imphash": "b33f679b12d9d05d922e720c0e21818c", + "md5": "1e5ea729f6dc5a8aff675a45706d389d", + "sha1": "f5a70ab4772325946a93c9eaf48ebe1dd1e7d3a3", + "sha256": "35da922b25ec8389a733f46a6c0d37c2c6b05463a123cde9fee48402c473e1ef" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791694245888, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\scan.dll", + "signature_signer": "Bitdefender SRL", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "3d b2 9a 36 51 f3 f5 e4 9c e0 79 d2 83 95 76 30 ", + "subject_name": "Bitdefender SRL" + }, + "cert_timestamp": { + "issuer_name": "Symantec Time Stamping Services CA - G2", + "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", + "subject_name": "Symantec Time Stamping Services Signer - G4", + "timestamp_string": "11/22/2016 08:08" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1479830743, + "hashes": { + "imphash": "513a166377e008d25aa2e22983dd13ff", + "md5": "3450d998edec5cdbd03b0df09c17e02d", + "sha1": "558979fb1a9368acdf2dc1e3d1afd94e7343f914", + "sha256": "c1f24493e4fc2a9c5d17e077455c3a610ad1e5fa46590f0f9598e680e5a07556" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791694114816, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\gzfltum.dll", + "signature_signer": "Bitdefender SRL", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "3d b2 9a 36 51 f3 f5 e4 9c e0 79 d2 83 95 76 30 ", + "subject_name": "Bitdefender SRL" + }, + "cert_timestamp": { + "issuer_name": "Symantec Time Stamping Services CA - G2", + "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", + "subject_name": "Symantec Time Stamping Services Signer - G4", + "timestamp_string": "01/16/2017 05:34" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1484573247, + "hashes": { + "imphash": "d6d5dc292fe4d710905e9f280360309d", + "md5": "9f1bcf84eaa34afbdfcf19f22fc1d6f5", + "sha1": "e15e023d46738f4848f64ce853ada6a3083f8b7f", + "sha256": "d1c30b1a7fc63c4f52b00628c3e73f571db52ff2b87718bcb5a6322923f58987" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791693000704, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\bdquar.dll", + "signature_signer": "Bitdefender SRL", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "3d b2 9a 36 51 f3 f5 e4 9c e0 79 d2 83 95 76 30 ", + "subject_name": "Bitdefender SRL" + }, + "cert_timestamp": { + "issuer_name": "Symantec Time Stamping Services CA - G2", + "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", + "subject_name": "Symantec Time Stamping Services Signer - G4", + "timestamp_string": "01/16/2017 05:34" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1484573248, + "hashes": { + "imphash": "4e1a791e94ac955105ddfaac387de22f", + "md5": "874d6017f89a2ef255a16280ed4b1bf7", + "sha1": "8951c3ab1c9ea0c312206b98d22a9779c8a89c8c", + "sha256": "00512202b78037c17a77b095fcb3458381002dbd20de8dee0c99ff7701343cda" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791691427840, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\BDSmartDB.dll", + "signature_signer": "Bitdefender SRL", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257756, + "hashes": { + "imphash": "5cd9d6761799e2ff681533ef1ffbb31d", + "md5": "2477a28081bdaee622cf045acf8ee124", + "sha1": "304c5f29fa847fbd994ad7a0471214198b928c14", + "sha256": "00a09caf9129e84feea98fa03ce9012c9f961b64fee15c4f268822c0f82acc3c" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791752376320, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\CFGMGR32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "DigiCert Assured ID Code Signing CA-1", + "serial_number": "0f b5 4c 96 fd 63 93 fd 7b b9 9c d1 d0 d5 16 ed ", + "subject_name": "Bitdefender SRL" + }, + "cert_timestamp": { + "issuer_name": "Symantec Time Stamping Services CA - G2", + "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", + "subject_name": "Symantec Time Stamping Services Signer - G4", + "timestamp_string": "09/12/2018 01:20" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1512623776, + "hashes": { + "imphash": "e2dab13fa4a67b25d3fbae65a189c521", + "md5": "627d7f1de23e6b01d6251b4c6962e765", + "sha1": "5e1d1854861016198ce4a1dbdea883f257de9463", + "sha256": "82bdf513b5f5b55ff740482ee839b14455b2296e2a911cb9a1ae622969412ed5" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791684612096, + "mapped_size": 0, + "path": "C:\\ProgramData\\apv2\\bd_db\\1\\bdcore.dll", + "signature_signer": "Bitdefender SRL", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "VeriSign Class 3 Code Signing 2010 CA", + "serial_number": "3d b2 9a 36 51 f3 f5 e4 9c e0 79 d2 83 95 76 30 ", + "subject_name": "Bitdefender SRL" + }, + "cert_timestamp": { + "issuer_name": "Symantec Time Stamping Services CA - G2", + "serial_number": "0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 ", + "subject_name": "Symantec Time Stamping Services Signer - G4", + "timestamp_string": "09/13/2017 23:13" + }, + "more_info_link": "", + "program_name": "", + "publisher_link": "" + }, + "compile_time": 1505278115, + "hashes": { + "imphash": "c2979e6e570392ed85b4e15810f2e90f", + "md5": "3b4c71b64bc20b0c6578a091a031c0fb", + "sha1": "00cb578e723555e929e4ad8e820772b56ce29475", + "sha256": "52db08c10a5f1482dda8527d592f71b33c1cfecfa5a5a2d0be5a78325c41dd7b" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791673536512, + "mapped_size": 0, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\bdnc.dll", + "signature_signer": "Bitdefender SRL", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257999, + "hashes": { + "imphash": "04534d8dae5ab230b9bee9b1b0b2829d", + "md5": "3f9f2afa135f0663946a006dd5ffd897", + "sha1": "ea6456859b04b68af8dcd453381dd168af53fc5e", + "sha256": "276d1c9c78c529625c2ef3d77079324628686ea184767971901a1de93681c133" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791753490432, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\CRYPT32.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258373, + "hashes": { + "imphash": "2e50bc5d9fe777770c8a6b2cfaf6b2e9", + "md5": "884415bd4269c02eaf8e2613bf85500d", + "sha1": "c3a64f05c210b38c69d8f1fc1d74a71b56ada30c", + "sha256": "efe771709ec942694fd206ac8d0a48ed7dcd35036f074268e4aecd68ac982cea" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791752310784, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\MSASN1.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535280, + "hashes": { + "imphash": "af1203c1d6d810c97729856780869b12", + "md5": "ef2ae43bcd46abb13fc3e5b2b1935c73", + "sha1": "c53e005cd04d99331ce3114ac119256133202313", + "sha256": "81fc06f306f620845d7dd8d06e706309e70bc89b589c81f3478302a3f5f73431" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791680024576, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WINMM.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258927, + "hashes": { + "imphash": "b32250da0d30f7782b5b900d4d9c519a", + "md5": "2a86e54b441ad41557f75dc5609b9793", + "sha1": "83ddcf8a1a0ca423bf8417f5e59b5c431bf50c43", + "sha256": "8fede6909413c0fa5b63d58d39affd0f6c3beeaf19b7b2f8674913abfd79a912" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791749951488, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\SSPICLI.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290258493, + "hashes": { + "imphash": "466f15f36f10655b30e9347e7dfc2b52", + "md5": "1d5185a4c7e6695431ae4b55c3d7d333", + "sha1": "5e9f739d46e20541ffc0a6421dc6be416ca8f261", + "sha256": "16f3906c54f1d71559836fdfcf4e83e7c9f454463d78fd577ad2d7022e0bcb51" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791743463424, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\mswsock.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535287, + "hashes": { + "imphash": "f967c6b35a5d1b7765016056a842e331", + "md5": "31559f3244c6bc00a52030caa83b6b91", + "sha1": "7943540153c7b7878101a4901d7935e05e7cfd32", + "sha256": "b2025742b5f0025ace9821d5722de3f997eeeab21d2f381c9e307882df422579" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791737106432, + "mapped_size": 0, + "path": "C:\\Windows\\System32\\wshtcpip.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534998, + "hashes": { + "imphash": "77870f98ca4d25a823c74d7404a64bfd", + "md5": "d0c2fbb6d97416b0166478fc7ae2b212", + "sha1": "e290bdf2312ac30a4e9f2a96d7c84714eee84899", + "sha256": "7eab6c37f0a845e645ca44cc060ac6c56e386c7ef7a64716c6786c9602ad8c9d" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791743856640, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\CRYPTSP.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 04 ca 69 00 00 00 00 00 08 ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 17:43" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1247535161, + "hashes": { + "imphash": "b8c20a01e4d94df61ee21f5350389f9c", + "md5": "5d8874a8c11dddde29e12de0e2013493", + "sha1": "a1c8e3e6ee44dcb68752d44b3b6f4ecce89c388d", + "sha256": "3e9a57137bf622af83e3e4d58971e2c0200559cca7545d16cf263aa03ee9c7d2" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791740710912, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\rsaenh.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534993, + "hashes": { + "imphash": "f0c6fd6831905d958b05645b680db89f", + "md5": "784fa3df338e2e8f5f0389d6fac428af", + "sha1": "6d32c67c91c6d374854e907c6719db2538540867", + "sha256": "9c8aa0cfdeb9e38aaf8eb08626070e0f0364f4f8a793cfe3532ec6c007980c34" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791750541312, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\CRYPTBASE.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290257906, + "hashes": { + "imphash": "ff74e3ff0a015c2023b747f613061e42", + "md5": "a52b6cc24063cc83c78c0e6f24deec01", + "sha1": "a5384efac7d1f9213aaf0423ed0b021bc986b9df", + "sha256": "77e0d2b2356e71f9be52fa479c9dde17c453c198bb49cd4a97f2309628d82e3b" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791741890560, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\DNSAPI.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534791, + "hashes": { + "imphash": "59b31e42f8fae7b5809ba7fcae732e0c", + "md5": "4cbcc37856ea2039c27a2fb661dda0e5", + "sha1": "cc666108d34168420a1d1942dda1e090154c7296", + "sha256": "74cbfab3092a9564bddfcb84db3e3f8bcfd1492938adf187423d3355d73d21c6" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791717642240, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\dhcpcsvc6.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534790, + "hashes": { + "imphash": "f17020f0f66b64fbdf51c75b43f3729d", + "md5": "f568f7c08458d69e4fcd8675bbb107e4", + "sha1": "c1e05f0255a6f386711044b11e2d04dfd328b26a", + "sha256": "a5fa25ecf248999a68ccecfbb508bfa1add18a23e20a9a9081a87c41caaa36c0" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791717117952, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\dhcpcsvc.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247534847, + "hashes": { + "imphash": "dda6776607f283829d85b996f5e46d03", + "md5": "f3d202f53a222d5f6944d459b73cf967", + "sha1": "c9db224ce8ec34aa2f341b6766ea67aa12f8b4a7", + "sha256": "e9f1d48eb333d32331bcfd0348fe07bee7d5352292e6020571da395f596affe7" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791668686848, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\FLTLIB.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 01 c6 c1 00 00 00 00 00 07 ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "07/13/2009 19:17" + }, + "more_info_link": "http://www.microsoft.com/windows", + "program_name": "Windows System Catalog", + "publisher_link": "" + }, + "compile_time": 1247535135, + "hashes": { + "imphash": "ff720e05e534d67b814b8562265058f5", + "md5": "2c942733a5983dd4502219ff37c7ebc7", + "sha1": "263e8fbf77c0ceead0c9bca56394bffa4a664361", + "sha256": "34b20b6b0d7274e4b5b783f1d2345bc3dd9888964d5c2c65712f041a00cf5b45" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791751393280, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\profapi.dll", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + }, + { + "architecture": "x64", + "authenticode": { + "cert_signer": { + "issuer_name": "Microsoft Windows Verification PCA", + "serial_number": "61 15 23 0f 00 00 00 00 00 0a ", + "subject_name": "Microsoft Windows" + }, + "cert_timestamp": { + "issuer_name": "Microsoft Time-Stamp PCA", + "serial_number": "61 03 dc f6 00 00 00 00 00 0c ", + "subject_name": "Microsoft Time-Stamp Service", + "timestamp_string": "11/20/2010 11:37" + }, + "more_info_link": "http://www.microsoft.com", + "program_name": "Microsoft Windows", + "publisher_link": "" + }, + "compile_time": 1290259008, + "hashes": { + "imphash": "b2ecd39ae0055d9e1b8aa5bc78942cba", + "md5": "eb3f9c2de1236b5d46b2291d82970e43", + "sha1": "0ce9ddc1063256ab571b916389321fd7f572ddc0", + "sha256": "8a43d335f3d573bed98af54bb51e82546c2acc025da8a48d801213eb14e9d5d4" + }, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 8791753228288, + "mapped_size": 0, + "path": "C:\\Windows\\system32\\WINTRUST.DLL", + "signature_signer": "Microsoft Windows", + "signature_status": "trusted" + } + ], + "name": "AmSvc.exe", + "parent_exe": "C:\\Windows\\System32\\services.exe", + "parent_name": "services.exe", + "pid": 1084, + "ppid": 436, + "primary_token": { + "domain": "NT AUTHORITY", + "integrity_level": 16384, + "integrity_level_name": "system", + "privileges": [ + { + "description": "Replace a process level token", + "enabled": false, + "name": "SeAssignPrimaryTokenPrivilege" + }, + { + "description": "Lock pages in memory", + "enabled": true, + "name": "SeLockMemoryPrivilege" + }, + { + "description": "Adjust memory quotas for a process", + "enabled": false, + "name": "SeIncreaseQuotaPrivilege" + }, + { + "description": "Act as part of the operating system", + "enabled": true, + "name": "SeTcbPrivilege" + }, + { + "description": "Manage auditing and security log", + "enabled": false, + "name": "SeSecurityPrivilege" + }, + { + "description": "Take ownership of files or other objects", + "enabled": false, + "name": "SeTakeOwnershipPrivilege" + }, + { + "description": "Load and unload device drivers", + "enabled": true, + "name": "SeLoadDriverPrivilege" + }, + { + "description": "Profile system performance", + "enabled": true, + "name": "SeSystemProfilePrivilege" + }, + { + "description": "Change the system time", + "enabled": false, + "name": "SeSystemtimePrivilege" + }, + { + "description": "Profile single process", + "enabled": true, + "name": "SeProfileSingleProcessPrivilege" + }, + { + "description": "Increase scheduling priority", + "enabled": true, + "name": "SeIncreaseBasePriorityPrivilege" + }, + { + "description": "Create a pagefile", + "enabled": true, + "name": "SeCreatePagefilePrivilege" + }, + { + "description": "Create permanent shared objects", + "enabled": true, + "name": "SeCreatePermanentPrivilege" + }, + { + "description": "Back up files and directories", + "enabled": true, + "name": "SeBackupPrivilege" + }, + { + "description": "Restore files and directories", + "enabled": true, + "name": "SeRestorePrivilege" + }, + { + "description": "Shut down the system", + "enabled": false, + "name": "SeShutdownPrivilege" + }, + { + "description": "Debug programs", + "enabled": true, + "name": "SeDebugPrivilege" + }, + { + "description": "Generate security audits", + "enabled": true, + "name": "SeAuditPrivilege" + }, + { + "description": "Modify firmware environment values", + "enabled": false, + "name": "SeSystemEnvironmentPrivilege" + }, + { + "description": "Bypass traverse checking", + "enabled": true, + "name": "SeChangeNotifyPrivilege" + }, + { + "description": "Remove computer from docking station", + "enabled": false, + "name": "SeUndockPrivilege" + }, + { + "description": "Perform volume maintenance tasks", + "enabled": false, + "name": "SeManageVolumePrivilege" + }, + { + "description": "Impersonate a client after authentication", + "enabled": true, + "name": "SeImpersonatePrivilege" + }, + { + "description": "Create global objects", + "enabled": true, + "name": "SeCreateGlobalPrivilege" + }, + { + "description": "Increase a process working set", + "enabled": true, + "name": "SeIncreaseWorkingSetPrivilege" + }, + { + "description": "Change the time zone", + "enabled": true, + "name": "SeTimeZonePrivilege" + }, + { + "description": "Create symbolic links", + "enabled": true, + "name": "SeCreateSymbolicLinkPrivilege" + } + ], + "sid": "S-1-5-18", + "type": "tokenPrimary", + "user": "SYSTEM" + }, + "services": [ + { + "name": "CybereasonAntiMalware" + } + ], + "sha1": "ca85243c0af6a6471bdaa560685c51eefd6dbc0d", + "sha256": "8ad40c90a611d36eb8f9eb24fa04f7dbca713db383ff55a03aa0f382e92061a2", + "sid": "S-1-5-18", + "signature_signer": "Cybereason Inc", + "signature_status": "trusted", + "threads": [ + { + "create_time": 1542345900, + "entrypoint": 5354476452, + "thread_id": 1088, + "up_time": 601 + }, + { + "create_time": 1542345900, + "entrypoint": 2001252032, + "thread_id": 1116, + "up_time": 600 + }, + { + "create_time": 1542345900, + "entrypoint": 8791691510992, + "thread_id": 1204, + "up_time": 598 + }, + { + "create_time": 1542345900, + "entrypoint": 8791691468912, + "thread_id": 1220, + "up_time": 598 + }, + { + "create_time": 1542345900, + "entrypoint": 8791673571008, + "thread_id": 1392, + "up_time": 586 + }, + { + "create_time": 1542345900, + "entrypoint": 8791673571008, + "thread_id": 1396, + "up_time": 586 + }, + { + "create_time": 1542345900, + "entrypoint": 8791673574320, + "thread_id": 1400, + "up_time": 586 + }, + { + "create_time": 1542345900, + "entrypoint": 8791673638416, + "thread_id": 1404, + "up_time": 586 + }, + { + "create_time": 1542345900, + "entrypoint": 2001271744, + "thread_id": 1520, + "up_time": 584 + }, + { + "create_time": 1542345900, + "entrypoint": 8791699247140, + "thread_id": 1888, + "up_time": 547 + }, + { + "create_time": 1542345900, + "entrypoint": 8791694133536, + "thread_id": 1904, + "up_time": 547 + }, + { + "create_time": 1542345900, + "entrypoint": 8791694133536, + "thread_id": 1908, + "up_time": 547 + }, + { + "create_time": 1542345900, + "entrypoint": 8791694133536, + "thread_id": 1912, + "up_time": 547 + }, + { + "create_time": 1542345900, + "entrypoint": 8791694133536, + "thread_id": 1916, + "up_time": 547 + }, + { + "create_time": 1542345900, + "entrypoint": 8791694133872, + "thread_id": 1920, + "up_time": 547 + }, + { + "create_time": 1542345900, + "entrypoint": 8791694132592, + "thread_id": 1924, + "up_time": 547 + }, + { + "create_time": 1542345900, + "entrypoint": 8791694133216, + "thread_id": 1928, + "up_time": 547 + }, + { + "create_time": 1542345900, + "entrypoint": 8791694134640, + "thread_id": 1932, + "up_time": 547 + }, + { + "create_time": 1542345900, + "entrypoint": 5354393504, + "thread_id": 1936, + "up_time": 547 + }, + { + "create_time": 1542345900, + "entrypoint": 5354393504, + "thread_id": 1944, + "up_time": 547 + }, + { + "create_time": 1542346000, + "entrypoint": 2001271744, + "thread_id": 2372, + "up_time": 509 + }, + { + "create_time": 1542346400, + "entrypoint": 8791743523392, + "thread_id": 4036, + "up_time": 43 + }, + { + "create_time": 1542346400, + "entrypoint": 8791673712896, + "thread_id": 4040, + "up_time": 43 + }, + { + "create_time": 1542346400, + "entrypoint": 2002168128, + "thread_id": 3372, + "up_time": 28 + } + ], + "unique_pid": 21, + "unique_ppid": 8, + "up_time": 601, + "user": "SYSTEM" + }, + "acting_thread": { + "create_time": 1542345900, + "service_name": "CybereasonAntiMalware", + "thread_id": 1912, + "thread_start_address": 8791694133536, + "thread_start_address_module": "C:\\Program Files\\Cybereason ActiveProbe\\gzfltum.dll" + } + }, + "captured_file": false, + "file_name": "C:\\Windows\\TEMP\\tmp0000045c\\tmp00001b4a", + "file_operation": "creation", + "file_owner": "Administrators", + "file_size": 188416, + "hashes": { + "imphash": "835d619dfdf3cc727cebd91300ab3462", + "md5": "4ace3baaa509d08510405e1b169e325b", + "sha1": "27fb21cf5db95ffca43b234affa99becc4023b9d", + "sha256": "6ed1c836dbf099be7845bdab7671def2c157643761b52251e04e9b6ee109ec75" + }, + "is_signature_trusted": false, + "malware_classification": { + "compressed_malware_features": { + "data_buffer": "eAHtnU1oHHUUwHsQ7MGDiIIUD4sH8WBBxJtopiLoUY0pYo2ZTbJJ0yQ17m4+ms/NRzeVWpuUWCL4sWlEYvFQ8KJQ6NCTEA8eRD30sIo3PdSriLi7837Pko3LbHZ2M5m+XObHm/d/X////83O7jCZvzacHBpPplNdfalkdjSdyty674Ft59dN71Dpb9v5eKh8LMEHjsCF2wIfVlRKsHROYPGkQO5+gY2vBSYYdWZFYGwEO/cITHMqkxPYnBBY+07gtCuQ9gSGigJ5lPPYGXcE+jA4z3Ad1ZtAUiDUyrEEPYzqRnIKgxd/Rgc7gygPo5wn95PouN7OeEYJ1UXiJgRmvscgp/LOziIkkSyT+xRVnXhZ4DKh5goCkzidRHkGO4uvCyw9LDDtCay8ILCAzrJOJaGuZwUuvSewivJVIPsklq8JbL4qMJsTSCcExrGs83WKU295ZFo5lr2TaZbcUw5FeJy8tgTeLpCy2iGeS67ABXzlgbEi1UC5FxcZnA4y/CLK82Qxi847FGGZRTLsCUxR1aWEwOp1AmOjDRYYzgwusL9WfqBiGJxnVAanixTq7Dp22LBdlWMJzlOx8wmBK2Rx5WmBLJIRwtAijOQE+ooCb2B5xBOYRtlfNeXpLpA7oyZRTqHzGenkmIJPnhBIMrzTwSA6H93CO5l+c1NA99f6IwLH8fUKdjTmDpTbgS50+gGVnECnE4PpooC2guPoaPADSHrcncNHmEHtAFkq3+EI+A37zsrrTvH3WTkvJLoOTyBp10wx2JcgVCRahA4NrICE4a+hrMXsA3qAHItW188E8ejO7XV3eh/KCYwxlamEwCgL8lN2wTntfrhY/U0g/5KAdvUpT+AszWqBdqH7VLeeZrExK9Cv1UgIDKA8g/cx7QAEP+AhAfRaMKB2HOJh+BSFSqKjSytNGBlc6PrpxvK7lCVDxbSG3Z7AhCMwx6gelwgLAltXBXJUTH29j+U1LHdipx/QprfKfGnF0sBpdBYxmEQyTzW0h6/0khcuhhJYRufym+i4VKMocJMs/KvfoW3/UJb4PeZOSZVONThZz4djP/75TAXa/CVfOvX3RgVLIDreLPN1pP1osW7lGmHsEhjBOzf+EPBE4vndvWz5xb/cChxGcv1LAb+tluALKnZ47isf1MXvz1ZMlsCXbXtPceqhrcp1ps6YHwQeBXLEPCf7q23tl9uJui0bGBgYRAccv7uXr/g5Af+2oNTrpgTa/vnpjBvpLAwM4gRBPvIZGBgYGBgYGBgYGBgYGBgYGBgYGBgYNAOc9oMXs4GBgYFBcNBnww5QzDXgRtPSaZ5lg/itsRaslgZ3bnWEEVnhMetIBwiiVnlbCbWrEftrt11zdwWnseFW1QO63w1is3ptD1pV9xG0t+zvfUrzrvh380qwXWAVCw6h78GIfG7ZlzltXu6hd+y92fECRFhjuH3bXG8N43oXEHperdzvUbteaDxhVTUeq25fqhG1X6Ai8mtF6BDXz2wR+dzSgg4Qsxls5T11XMG+82y8GkG+b7kL69xg7mF1SFvhBgYGsYH/Xi7HE+PVkiB2jt1bNZxT+k4558jR53ydz5//1m1KOgYGBgYGBgYGEQfnsYaG2z1sdPJS79XQSu91ndobOAHCaN5vNzUk1bceQVzUpbw3iOuT+UFmR18bHrp3gyhDC56lCd1y85w2+HSNUwVhhdGC7blLf+bV/fqtvhMg1NDjCcugB1QXswbs8ekj/v1BgzFHBIIsyP+HfwFdMpzu", + "decompressed_size": 27831, + "encoding": "zlib" + }, + "identifier": "endpointpe", + "prevention_threshold": 0.66, + "score": 1, + "threshold": 0.66, + "version": "3.0.33" + }, + "pid": 1084, + "ppid": 436, + "signature_signer": "", + "temp_file_path": "C:\\Windows\\TEMP\\37c97b4b-6ee8-476c-bfdd-c0cd6783b86d", + "timestamp": { + "accessed": 1542346400, + "created": 1542346400, + "modified": 1542346500 + }, + "user_blacklisted": false + }, + "event_subtype_full": "file_classification_event", + "event_type_full": "alert_event", + "metadata": { + "beta_alert": false, + "chunk_id": 0, + "collection_time": 1542346500, + "correlation_id": "2c827da1-f977-42a7-994b-ab7e5cc50329", + "destination_plugin": "send", + "final": true, + "is_alert": true, + "key": "fileClassificationEventResponse", + "message_id": "2280efbc-8bdf-49bf-a712-bc44acdf3eaa", + "origination_task_id": "4d9d9e7e-4ea1-4373-954c-e8cdbb85c61d", + "os_type": "windows", + "priority": 80, + "result": { + "local_code": 0, + "local_msg": "Success" + }, + "semantic_version": "3.50.0", + "sensor_version": "3.50.0", + "task_id": "4d9d9e7e-4ea1-4373-954c-e8cdbb85c61d", + "type": "detection" + }, + "opcode": 8, + "serial_event_id": 144711, + "timestamp": 132140207402716480, + "timestamp_utc": "2019-09-27 01:19:00Z" + }, + "event": { + "action": "file_classification_event", + "dataset": "esensor", + "kind": "alert", + "module": "endgame" + }, + "host": { + "hostname": "HD-m3z-4c803698", + "ip": "10.176.220.187", + "name": "HD-m3z-4c803698", + "os": { + "name": "Windows", + "platform": "windows", + "version": "10.0" + } + }, + "labels": { + "account_id": "8c48070b-4b61-4ded-86d5-1b9a7a78229c", + "endpoint_id": "c89dc040-2350-4d59-baea-9ff2e369136f" + }, + "user": { + "group": { + } + } + }, + "type": "_doc" + } + } + ] \ No newline at end of file diff --git a/x-pack/plugins/endpoint/yarn.lock b/x-pack/plugins/endpoint/yarn.lock index 3f82ebc9cdbae..6e09764ec763b 120000 --- a/x-pack/plugins/endpoint/yarn.lock +++ b/x-pack/plugins/endpoint/yarn.lock @@ -1 +1 @@ -../../yarn.lock \ No newline at end of file +../../../yarn.lock \ No newline at end of file diff --git a/x-pack/plugins/spaces/server/lib/request_interceptors/on_post_auth_interceptor.test.ts b/x-pack/plugins/spaces/server/lib/request_interceptors/on_post_auth_interceptor.test.ts index c1f557f164ad6..776275715921b 100644 --- a/x-pack/plugins/spaces/server/lib/request_interceptors/on_post_auth_interceptor.test.ts +++ b/x-pack/plugins/spaces/server/lib/request_interceptors/on_post_auth_interceptor.test.ts @@ -32,6 +32,7 @@ import { securityMock } from '../../../../security/server/mocks'; describe('onPostAuthInterceptor', () => { let root: ReturnType; + jest.setTimeout(30000); const headers = { authorization: `Basic ${Buffer.from( @@ -41,7 +42,7 @@ describe('onPostAuthInterceptor', () => { beforeEach(async () => { root = kbnTestServer.createRoot(); - }, 30000); + }); afterEach(async () => await root.shutdown()); @@ -241,7 +242,7 @@ describe('onPostAuthInterceptor', () => { expect(response.status).toEqual(302); expect(response.header.location).toEqual(`/spaces/space_selector`); - }, 30000); + }); it('when accessing the kibana app it always allows the request to continue', async () => { const spaces = [ @@ -258,7 +259,7 @@ describe('onPostAuthInterceptor', () => { const { response } = await request('/s/a-space/app/kibana', spaces); expect(response.status).toEqual(200); - }, 30000); + }); it('allows the request to continue when accessing an API endpoint within a non-existent space', async () => { const spaces = [ @@ -274,7 +275,7 @@ describe('onPostAuthInterceptor', () => { const { response } = await request('/s/not-found/api/test/foo', spaces); expect(response.status).toEqual(200); - }, 30000); + }); }); describe('requests handled completely in the new platform', () => { @@ -293,7 +294,7 @@ describe('onPostAuthInterceptor', () => { expect(response.status).toEqual(302); expect(response.header.location).toEqual(`/spaces/space_selector`); - }, 30000); + }); it('allows the request to continue when accessing an API endpoint within a non-existent space', async () => { const spaces = [ @@ -309,7 +310,7 @@ describe('onPostAuthInterceptor', () => { const { response } = await request('/s/not-found/api/np_test/foo', spaces); expect(response.status).toEqual(200); - }, 30000); + }); }); it('handles space retrieval errors gracefully when requesting the root, responding with headers returned from ES', async () => { @@ -421,7 +422,7 @@ describe('onPostAuthInterceptor', () => { }), }) ); - }, 30000); + }); it('redirects to the "enter space" endpoint when accessing the root of a non-default space', async () => { const spaces = [ @@ -454,7 +455,7 @@ describe('onPostAuthInterceptor', () => { }), }) ); - }, 30000); + }); describe('with a single available space', () => { it('it redirects to the "enter space" endpoint within the context of the single Space when navigating to Kibana root', async () => { diff --git a/x-pack/test/functional/apps/machine_learning/data_frame_analytics/outlier_detection_creation.ts b/x-pack/test/functional/apps/machine_learning/data_frame_analytics/outlier_detection_creation.ts index 3e80a5782309f..2b64847602c4c 100644 --- a/x-pack/test/functional/apps/machine_learning/data_frame_analytics/outlier_detection_creation.ts +++ b/x-pack/test/functional/apps/machine_learning/data_frame_analytics/outlier_detection_creation.ts @@ -27,6 +27,7 @@ export default function({ getService }: FtrProviderContext) { suiteTitle: 'iowa house prices', jobType: 'outlier_detection', jobId: `ihp_1_${Date.now()}`, + jobDescription: 'This is the job description', source: 'ihp_outlier', get destinationIndex(): string { return `dest_${this.jobId}`; @@ -76,6 +77,11 @@ export default function({ getService }: FtrProviderContext) { await ml.dataFrameAnalyticsCreation.setJobId(testData.jobId); }); + it('inputs the job description', async () => { + await ml.dataFrameAnalyticsCreation.assertJobDescriptionInputExists(); + await ml.dataFrameAnalyticsCreation.setJobDescription(testData.jobDescription); + }); + it('selects the source index', async () => { await ml.dataFrameAnalyticsCreation.assertSourceIndexInputExists(); await ml.dataFrameAnalyticsCreation.selectSourceIndex(testData.source); @@ -139,6 +145,7 @@ export default function({ getService }: FtrProviderContext) { it('displays details for the created job in the analytics table', async () => { await ml.dataFrameAnalyticsTable.assertAnalyticsRowFields(testData.jobId, { id: testData.jobId, + description: testData.jobDescription, sourceIndex: testData.source, destinationIndex: testData.destinationIndex, type: testData.expected.row.type, @@ -151,6 +158,11 @@ export default function({ getService }: FtrProviderContext) { await ml.api.assertIndicesExist(testData.destinationIndex); await ml.api.assertIndicesNotEmpty(testData.destinationIndex); }); + + it('displays the results view for created job', async () => { + await ml.dataFrameAnalyticsTable.openResultsView(); + await ml.dataFrameAnalytics.assertOutlierTablePanelExists(); + }); }); } }); diff --git a/x-pack/test/functional/apps/machine_learning/data_frame_analytics/regression_creation.ts b/x-pack/test/functional/apps/machine_learning/data_frame_analytics/regression_creation.ts index 2de98c9b80240..1a514f4ad44e5 100644 --- a/x-pack/test/functional/apps/machine_learning/data_frame_analytics/regression_creation.ts +++ b/x-pack/test/functional/apps/machine_learning/data_frame_analytics/regression_creation.ts @@ -27,6 +27,7 @@ export default function({ getService }: FtrProviderContext) { suiteTitle: 'electrical grid stability', jobType: 'regression', jobId: `egs_1_${Date.now()}`, + jobDescription: 'This is the job description', source: 'egs_regression', get destinationIndex(): string { return `dest_${this.jobId}`; @@ -70,6 +71,11 @@ export default function({ getService }: FtrProviderContext) { await ml.dataFrameAnalyticsCreation.setJobId(testData.jobId); }); + it('inputs the job description', async () => { + await ml.dataFrameAnalyticsCreation.assertJobDescriptionInputExists(); + await ml.dataFrameAnalyticsCreation.setJobDescription(testData.jobDescription); + }); + it('selects the source index', async () => { await ml.dataFrameAnalyticsCreation.assertSourceIndexInputExists(); await ml.dataFrameAnalyticsCreation.selectSourceIndex(testData.source); @@ -143,6 +149,7 @@ export default function({ getService }: FtrProviderContext) { it('displays details for the created job in the analytics table', async () => { await ml.dataFrameAnalyticsTable.assertAnalyticsRowFields(testData.jobId, { id: testData.jobId, + description: testData.jobDescription, sourceIndex: testData.source, destinationIndex: testData.destinationIndex, type: testData.expected.row.type, @@ -155,6 +162,12 @@ export default function({ getService }: FtrProviderContext) { await ml.api.assertIndicesExist(testData.destinationIndex); await ml.api.assertIndicesNotEmpty(testData.destinationIndex); }); + + it('displays the results view for created job', async () => { + await ml.dataFrameAnalyticsTable.openResultsView(); + await ml.dataFrameAnalytics.assertRegressionEvaluatePanelElementsExists(); + await ml.dataFrameAnalytics.assertRegressionTablePanelExists(); + }); }); } }); diff --git a/x-pack/test/functional/apps/visualize/feature_controls/visualize_security.ts b/x-pack/test/functional/apps/visualize/feature_controls/visualize_security.ts index 767dbd7165567..bdcdc4b7cd3ec 100644 --- a/x-pack/test/functional/apps/visualize/feature_controls/visualize_security.ts +++ b/x-pack/test/functional/apps/visualize/feature_controls/visualize_security.ts @@ -116,14 +116,16 @@ export default function({ getPageObjects, getService }: FtrProviderContext) { await PageObjects.share.clickShareTopNavButton(); }); - it('allow saving via the saved query management component popover with no saved query loaded', async () => { + // Flaky: https://github.com/elastic/kibana/issues/50018 + it.skip('allow saving via the saved query management component popover with no saved query loaded', async () => { await queryBar.setQuery('response:200'); await savedQueryManagementComponent.saveNewQuery('foo', 'bar', true, false); await savedQueryManagementComponent.savedQueryExistOrFail('foo'); await savedQueryManagementComponent.closeSavedQueryManagementComponent(); }); - it('allow saving a currently loaded saved query as a new query via the saved query management component ', async () => { + // Depends on skipped test above + it.skip('allow saving a currently loaded saved query as a new query via the saved query management component ', async () => { await savedQueryManagementComponent.saveCurrentlyLoadedAsNewQuery( 'foo2', 'bar2', @@ -134,7 +136,8 @@ export default function({ getPageObjects, getService }: FtrProviderContext) { await savedQueryManagementComponent.closeSavedQueryManagementComponent(); }); - it('allow saving changes to a currently loaded query via the saved query management component', async () => { + // Depends on skipped test above + it.skip('allow saving changes to a currently loaded query via the saved query management component', async () => { await savedQueryManagementComponent.loadSavedQuery('foo2'); await queryBar.setQuery('response:404'); await savedQueryManagementComponent.updateCurrentlyLoadedQuery('bar2', false, false); @@ -144,7 +147,8 @@ export default function({ getPageObjects, getService }: FtrProviderContext) { expect(queryString).to.eql('response:404'); }); - it('allows deleting saved queries in the saved query management component ', async () => { + // Depends on skipped test above + it.skip('allows deleting saved queries in the saved query management component ', async () => { await savedQueryManagementComponent.deleteSavedQuery('foo2'); await savedQueryManagementComponent.savedQueryMissingOrFail('foo2'); }); diff --git a/x-pack/test/functional/services/machine_learning/data_frame_analytics.ts b/x-pack/test/functional/services/machine_learning/data_frame_analytics.ts index 8c8b5db1d2c52..95a4341e8a8d0 100644 --- a/x-pack/test/functional/services/machine_learning/data_frame_analytics.ts +++ b/x-pack/test/functional/services/machine_learning/data_frame_analytics.ts @@ -32,6 +32,22 @@ export function MachineLearningDataFrameAnalyticsProvider( await testSubjects.existOrFail('mlAnalyticsButtonCreate'); }, + async assertRegressionEvaluatePanelElementsExists() { + await testSubjects.existOrFail('mlDFAnalyticsRegressionExplorationEvaluatePanel'); + await testSubjects.existOrFail('mlDFAnalyticsRegressionGenMSEstat'); + await testSubjects.existOrFail('mlDFAnalyticsRegressionGenRSquaredStat'); + await testSubjects.existOrFail('mlDFAnalyticsRegressionTrainingMSEstat'); + await testSubjects.existOrFail('mlDFAnalyticsRegressionTrainingRSquaredStat'); + }, + + async assertRegressionTablePanelExists() { + await testSubjects.existOrFail('mlDFAnalyticsRegressionExplorationTablePanel'); + }, + + async assertOutlierTablePanelExists() { + await testSubjects.existOrFail('mlDFAnalyticsOutlierExplorationTablePanel'); + }, + async assertAnalyticsStatsBarExists() { await testSubjects.existOrFail('mlAnalyticsStatsBar'); }, diff --git a/x-pack/test/functional/services/machine_learning/data_frame_analytics_creation.ts b/x-pack/test/functional/services/machine_learning/data_frame_analytics_creation.ts index 6531ca04f22b0..b4e455ebaa63f 100644 --- a/x-pack/test/functional/services/machine_learning/data_frame_analytics_creation.ts +++ b/x-pack/test/functional/services/machine_learning/data_frame_analytics_creation.ts @@ -58,6 +58,10 @@ export function MachineLearningDataFrameAnalyticsCreationProvider({ await testSubjects.existOrFail('mlAnalyticsCreateJobFlyoutJobIdInput'); }, + async assertJobDescriptionInputExists() { + await testSubjects.existOrFail('mlDFAnalyticsJobCreationJobDescription'); + }, + async assertJobIdValue(expectedValue: string) { const actualJobId = await testSubjects.getAttribute( 'mlAnalyticsCreateJobFlyoutJobIdInput', @@ -69,6 +73,17 @@ export function MachineLearningDataFrameAnalyticsCreationProvider({ ); }, + async assertJobDescriptionValue(expectedValue: string) { + const actualJobDescription = await testSubjects.getAttribute( + 'mlDFAnalyticsJobCreationJobDescription', + 'value' + ); + expect(actualJobDescription).to.eql( + expectedValue, + `Job description should be '${expectedValue}' (got '${actualJobDescription}')` + ); + }, + async setJobId(jobId: string) { await testSubjects.setValue('mlAnalyticsCreateJobFlyoutJobIdInput', jobId, { clearWithKeyboard: true, @@ -76,6 +91,13 @@ export function MachineLearningDataFrameAnalyticsCreationProvider({ await this.assertJobIdValue(jobId); }, + async setJobDescription(jobDescription: string) { + await testSubjects.setValue('mlDFAnalyticsJobCreationJobDescription', jobDescription, { + clearWithKeyboard: true, + }); + await this.assertJobDescriptionValue(jobDescription); + }, + async assertSourceIndexInputExists() { await testSubjects.existOrFail('mlAnalyticsCreateJobFlyoutSourceIndexSelect > comboBoxInput'); }, diff --git a/x-pack/test/functional/services/machine_learning/data_frame_analytics_table.ts b/x-pack/test/functional/services/machine_learning/data_frame_analytics_table.ts index 17a7cfd4775eb..0324b440548bc 100644 --- a/x-pack/test/functional/services/machine_learning/data_frame_analytics_table.ts +++ b/x-pack/test/functional/services/machine_learning/data_frame_analytics_table.ts @@ -26,6 +26,11 @@ export function MachineLearningDataFrameAnalyticsTableProvider({ getService }: F .find('.euiTableCellContent') .text() .trim(), + description: $tr + .findTestSubject('mlAnalyticsTableColumnJobDescription') + .find('.euiTableCellContent') + .text() + .trim(), sourceIndex: $tr .findTestSubject('mlAnalyticsTableColumnSourceIndex') .find('.euiTableCellContent') @@ -71,6 +76,10 @@ export function MachineLearningDataFrameAnalyticsTableProvider({ getService }: F return await tableListContainer.findByClassName('euiFieldSearch'); } + async assertJobViewButtonExists() { + await testSubjects.existOrFail('mlAnalyticsJobViewButton'); + } + async assertAnalyticsSearchInputValue(expectedSearchValue: string) { const searchBarInput = await this.getAnalyticsSearchInput(); const actualSearchValue = await searchBarInput.getAttribute('value'); @@ -80,6 +89,12 @@ export function MachineLearningDataFrameAnalyticsTableProvider({ getService }: F ); } + public async openResultsView() { + await this.assertJobViewButtonExists(); + await testSubjects.click('mlAnalyticsJobViewButton'); + await testSubjects.existOrFail('mlPageDataFrameAnalyticsExploration', { timeout: 5000 }); + } + public async filterWithSearchString(filter: string) { await this.waitForAnalyticsToLoad(); const searchBarInput = await this.getAnalyticsSearchInput();